Recommended location of setkey configuration file?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Recommended location of setkey configuration file?
@ 2007-03-09 17:05 Paul Moore
  2007-03-09 18:31 ` Daniel J Walsh
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2007-03-09 17:05 UTC (permalink / raw)
  To: SE Linux; +Cc: Daniel J Walsh, Christopher J.PeBenito

All of the following is in regards to RHEL5 and the MLS policy.

I'm trying to use a configuration file with setkey to setup the IPsec SPD in 
the kernel at boot.  Initially I created the configuration file 
as /etc/racoon/setkey.conf and put a line in my rc.local to run setkey like 
so:

 /sbin/setkey -f /etc/racoon/setkey.conf

I ran into two problems with this approach (AVCs posted below):

***
type=AVC msg=audit(1173457995.695:303): avc:  denied  { use } for  pid=2102 
comm="setkey" name="console" dev=tmpfs ino=725 
scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1173457995.695:303): avc:  denied  { use } for  pid=2102 
comm="setkey" name="console" dev=tmpfs ino=725 
scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1173457995.695:303): avc:  denied  { use } for  pid=2102 
comm="setkey" name="console" dev=tmpfs ino=725 
scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
type=AVC msg=audit(1173457995.721:304): avc:  denied  { search } for  pid=2102 
comm="setkey" name="racoon" dev=dm-0 ino=491816 
scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir
***

The first problem involving fd use seems to have a rather simple fix, which I 
don't imagine should cause any adverse affects:

 init_use_fds(setkey_t)

However, the second problem of setkey not being allowed to search 
the /etc/racoon directory makes me believe I'm not placing my setkey.conf in 
the right location, or I simply have it named incorrectly.  Yet a quick 
search through the Reference Policy doesn't show an obvious name or location.  
My hunch is that any location under /etc should work, i.e. /etc/setkey.conf, 
but I was curious to see what the "recommended" solution is ...

Thanks.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Recommended location of setkey configuration file?
  2007-03-09 17:05 Recommended location of setkey configuration file? Paul Moore
@ 2007-03-09 18:31 ` Daniel J Walsh
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2007-03-09 18:31 UTC (permalink / raw)
  To: Paul Moore; +Cc: SE Linux, Christopher J.PeBenito

Paul Moore wrote:
> All of the following is in regards to RHEL5 and the MLS policy.
>
> I'm trying to use a configuration file with setkey to setup the IPsec SPD in 
> the kernel at boot.  Initially I created the configuration file 
> as /etc/racoon/setkey.conf and put a line in my rc.local to run setkey like 
> so:
>
>  /sbin/setkey -f /etc/racoon/setkey.conf
>
> I ran into two problems with this approach (AVCs posted below):
>
> ***
> type=AVC msg=audit(1173457995.695:303): avc:  denied  { use } for  pid=2102 
> comm="setkey" name="console" dev=tmpfs ino=725 
> scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> type=AVC msg=audit(1173457995.695:303): avc:  denied  { use } for  pid=2102 
> comm="setkey" name="console" dev=tmpfs ino=725 
> scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> type=AVC msg=audit(1173457995.695:303): avc:  denied  { use } for  pid=2102 
> comm="setkey" name="console" dev=tmpfs ino=725 
> scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
> tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fd
> type=AVC msg=audit(1173457995.721:304): avc:  denied  { search } for  pid=2102 
> comm="setkey" name="racoon" dev=dm-0 ino=491816 
> scontext=system_u:system_r:setkey_t:s0-s15:c0.c1023 
> tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir
> ***
>
> The first problem involving fd use seems to have a rather simple fix, which I 
> don't imagine should cause any adverse affects:
>
>  init_use_fds(setkey_t)
>
> However, the second problem of setkey not being allowed to search 
> the /etc/racoon directory makes me believe I'm not placing my setkey.conf in 
> the right location, or I simply have it named incorrectly.  Yet a quick 
> search through the Reference Policy doesn't show an obvious name or location.  
> My hunch is that any location under /etc should work, i.e. /etc/setkey.conf, 
> but I was curious to see what the "recommended" solution is ...
>
>   
No it looks like the policy intended the keys to be there.  This is also 
a bug in policy.
> Thanks.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-03-09 18:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-09 17:05 Recommended location of setkey configuration file? Paul Moore
2007-03-09 18:31 ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.