[Openswan Users] Openswan Fedora 11 and SELinux issues
Scott Selvia
selvia_scott at hotmail.com
Sun Jun 28 08:07:58 EDT 2009
New to F11 but I have openswan working in ubuntu. Openswan installed
without problems but when I run ipsec setup --start I get SELinux
errors. A co-worker using F10 has the same ipsec.conf working just fine
but he disabled the SELinux, which I would rather not do. Here is the
ipsec.conf and my company.conf:
Any help would be great?????
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/company.conf
company.conf:
conn company
authby=secret
type=tunnel
keyingtries=1
keyexchange=ike
ike=3des-md5
esp=3des-md5
pfs=yes
auto=start
left=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=xxx.xxx.xxx.xxx/24
# disable opportunistic encryption
#conn block
# auto=ignore
#conn private
# auto=ignore
#conn private-or-clear
# auto=ignore
#conn clear-or-private
# auto=ignore
#conn clear
# auto=ignore
#conn packetdefault
# auto=ignore
I also get the following, I assume it's because of the policy issues:
[root at localhost etc]# ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.29.4-167.fc11.i686.PAE...
[root at localhost etc]# ipsec setup --status
IPsec stopped
but...
has subsystem lock (/var/lock/subsys/ipsec)!
Summary:
SELinux is preventing the lwdnsq from using potentially mislabeled files (tmp).
Allowing Access:
If you want lwdnsq to access this files, you need to relabel them using
restorecon -v 'tmp'. You might want to relabel the entire directory using
restorecon -R -v 'tmp'.
Additional Information:
Source Context unconfined_u:system_r:ipsec_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects tmp [ dir ]
Source pluto
Source Path /usr/libexec/ipsec/pluto
Port <Unknown>
Host localhost.localdomain
Source RPM Packages openswan-2.6.21-4.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-53.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27
17:28:22 EDT 2009 i686 i686
Alert Count 64
First Seen Sat 27 Jun 2009 11:45:49 PM EDT
Last Seen Sun 28 Jun 2009 12:03:35 AM EDT
Local ID 91b6246f-d163-4a4a-a779-fc9d07b55601
Line Numbers
Summary:
SELinux is preventing pluto (ipsec_t) "write" to etc (etc_t).
Allowing Access:
You can attempt to fix file context by executing restorecon -v 'etc'
Fix Command:
restorecon 'etc'
Additional Information:
Source Context unconfined_u:system_r:ipsec_t:s0
Target Context system_u:object_r:etc_t:s0
Target Objects etc [ dir ]
Source pluto
Source Path /usr/libexec/ipsec/pluto
Port <Unknown>
Host localhost.localdomain
Source RPM Packages openswan-2.6.21-4.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-53.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27
17:28:22 EDT 2009 i686 i686
Alert Count 24
First Seen Sat 27 Jun 2009 11:50:33 PM EDT
Last Seen Sun 28 Jun 2009 12:03:35 AM EDT
Local ID 9b0d01dd-ff64-442d-b583-51cda0cbd751
Line Numbers
Summary:
SELinux is preventing ip (ifconfig_t) "write" ipsec_t.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:ifconfig_t:s0
Target Context unconfined_u:system_r:ipsec_t:s0
Target Objects pipe [ fifo_file ]
Source ip
Source Path /sbin/ip
Port <Unknown>
Host localhost.localdomain
Source RPM Packages iproute-2.6.29-2.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-53.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27
17:28:22 EDT 2009 i686 i686
Alert Count 4
First Seen Sat 27 Jun 2009 11:54:53 PM EDT
Last Seen Sun 28 Jun 2009 12:03:36 AM EDT
Local ID 6b242134-23b8-45ca-85f4-216ad6c384fd
Line Numbers
Summary:
SELinux is preventing setup (ipsec_mgmt_t) "write" to / (root_t).
Allowing Access:
You can attempt to fix file context by executing restorecon -v '/'
Fix Command:
restorecon '/'
Additional Information:
Source Context unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context system_u:object_r:root_t:s0
Target Objects / [ dir ]
Source setup
Source Path /bin/bash
Port <Unknown>
Host localhost.localdomain
Source RPM Packages bash-4.0-6.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-53.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27
17:28:22 EDT 2009 i686 i686
Alert Count 4
First Seen Sat 27 Jun 2009 11:55:04 PM EDT
Last Seen Sun 28 Jun 2009 12:03:46 AM EDT
Local ID 01d8f932-d15c-4bd7-ad19-969a42b5a634
Line Numbers
_________________________________________________________________
Windows Live™ SkyDrive™: Get 25 GB of free online storage.
http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090628/2feabfaf/attachment.html
More information about the Users
mailing list