-   Linux - Security (
-   -   SeLinux local policy won't work (

ocgltd 09-14-2008 12:05 PM

SeLinux local policy won't work
I am running a program (called pluto) which is denied be selinux. I have tried several times to add the local policy for this but it still fails. Can anyone help?

Here is the syslog error:
Sep 14 11:53:22 firewall setroubleshoot: SELinux is preventing pluto (ipsec_t) "bind" to <Unknown> (ipsec_t). For complete SELinux messages. run sealert -l b7d18b53-fd62-4806-b16e-5a19c723c125

So I get the sealert info (extracting this line to file avc) as follows:
sealert -l b7d18b53-fd62-4806-b16e-5a19c723c125 | grep AVC > avc
The file contains type=AVC msg=audit(1221407602.428:4482): avc: denied { bind } for pid=24677 comm="pluto" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=netlink_xfrm_socket

then I:
audit2allow -M local < avc
semodule -i local.pp

and finally restart my program. But the same SELinux alert appears in the syslog. What am I doing wrong?

Many thanks...

billymayday 09-15-2008 05:14 AM

Is it exactly the same message?

ocgltd 09-15-2008 08:55 AM

Yes, even the same sealert number / string. That's what seems odd...

unSpawn 09-16-2008 02:28 AM

The SE Linux rule Sealert says is missing IIRC is "allow ipsec_t self:netlink_xfrm_socket bind;" (Reference Policy). It seems 'pluto' is running in "unconfined_u" and I wonder it should be that way?..

ocgltd 09-16-2008 10:59 AM

I'm afraid I'm beyond my depth on security contexts & SELinux etc...

Is there a way to cause SeLinux to allow Pluto to run in "unconfined_u" ? (Is that the limitation?)


unSpawn 09-16-2008 03:10 PM

I don't know policy for IPSEC, could look it up in the Reference Policy (policy source RPM or Tresys?).

All times are GMT -5. The time now is 07:58 PM.