SeLinux local policy won't work

ocgltd · 09-14-2008, 11:05 AM

I am running a program (called pluto) which is denied be selinux. I have tried several times to add the local policy for this but it still fails. Can anyone help?

Here is the syslog error:
Sep 14 11:53:22 firewall setroubleshoot: SELinux is preventing pluto (ipsec_t) "bind" to <Unknown> (ipsec_t). For complete SELinux messages. run sealert -l b7d18b53-fd62-4806-b16e-5a19c723c125

So I get the sealert info (extracting this line to file avc) as follows:
sealert -l b7d18b53-fd62-4806-b16e-5a19c723c125 | grep AVC > avc
The file contains
host=firewall.ocg.ca type=AVC msg=audit(1221407602.428:4482): avc: denied { bind } for pid=24677 comm="pluto" scontext=unconfined_u:system_r:ipsec_t:s0 tcontext=unconfined_u:system_r:ipsec_t:s0 tclass=netlink_xfrm_socket

then I:
audit2allow -M local < avc
semodule -i local.pp

and finally restart my program. But the same SELinux alert appears in the syslog. What am I doing wrong?

Many thanks...
MD

billymayday · 09-15-2008, 04:14 AM

Is it exactly the same message?

ocgltd · 09-15-2008, 07:55 AM

Yes, even the same sealert number / string. That's what seems odd...

unSpawn · 09-16-2008, 01:28 AM

The SE Linux rule Sealert says is missing IIRC is "allow ipsec_t self:netlink_xfrm_socket bind;" (Reference Policy). It seems 'pluto' is running in "unconfined_u" and I wonder it should be that way?..

ocgltd · 09-16-2008, 09:59 AM

I'm afraid I'm beyond my depth on security contexts & SELinux etc...

Is there a way to cause SeLinux to allow Pluto to run in "unconfined_u" ? (Is that the limitation?)

Thanks,
MD

unSpawn · 09-16-2008, 02:10 PM

I don't know policy for IPSEC, could look it up in the Reference Policy (policy source RPM or Tresys?).