SixXS::Sunset 2017-06-06

aiccu and selinux conflict
[nl] Shadow Hawkins on Friday, 17 October 2008 10:28:26
Hi, It seems selinux does not like aiccu. I want them to become friends. On a Centos 5 X86_64 system I picked up aiccu from EPEL. The package installs just fine but has no selinux info. So when I start aiccu I get: Oct 17 10:20:40 aragorn kernel: tun: Universal TUN/TAP device driver, 1.6 Oct 17 10:20:40 aragorn kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> Oct 17 10:20:41 aragorn aiccu: Succesfully retrieved tunnel information for T17469 Oct 17 10:20:41 aragorn aiccu: AICCU running as PID 30008 Oct 17 10:20:41 aragorn kernel: sixxs: Disabled Privacy Extensions Oct 17 10:20:41 aragorn aiccu: [AYIYA-start] : Anything in Anything (draft-02) Oct 17 10:20:41 aragorn aiccu: [AYIYA-tun->tundev] : (Socket to TUN) started Oct 17 10:20:43 aragorn setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t). For complete SELinux messages. run sealert -l 915fccce-d55c-42e0-9aa6-cd2975ce48e0 And the full report is: Summary: SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t). Detailed Description: SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:ifconfig_t Target Context user_u:system_r:initrc_t Target Objects socket [ udp_socket ] Source ip Source Path /sbin/ip Port <Unknown> Host aragorn.hugo.vanderkooij.org Source RPM Packages iproute-2.6.18-7.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.1.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name aragorn.hugo.vanderkooij.org Platform Linux aragorn.hugo.vanderkooij.org 2.6.18-92.el5 #1 SMP Tue Jun 10 18:51:06 EDT 2008 x86_64 x86_64 Alert Count 5 First Seen Fri Oct 17 10:20:41 2008 Last Seen Fri Oct 17 10:20:41 2008 Local ID 915fccce-d55c-42e0-9aa6-cd2975ce48e0 Line Numbers Raw Audit Messages host=aragorn.hugo.vanderkooij.org type=AVC msg=audit(1224231641.611:3009): avc: denied { read write } for pid=30018 comm="ip" path="socket:[7701766]" dev=sockfs ino=7701766 scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=udp_socket host=aragorn.hugo.vanderkooij.org type=SYSCALL msg=audit(1224231641.611:3009): arch=c000003e syscall=59 success=yes exit=0 a0=1fa79440 a1=1fa79b40 a2=1fa78300 a3=3 items=0 ppid=30008 pid=30018 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=476 comm="ip" exe="/sbin/ip" subj=user_u:system_r:ifconfig_t:s0 key=(null)
aiccu and selinux conflict
[nl] Shadow Hawkins on Friday, 17 October 2008 10:38:40
The obvious question would be if someone happened to write up the proper selinux bit to append to this EPEL package. I have performed the steps in the FAQ so I got aiccu past this stage myself.
aiccu and selinux conflict
[nl] Shadow Hawkins on Friday, 17 October 2008 10:59:32
One can follow the reported bug here: https://bugzilla.redhat.com/show_bug.cgi?id=467381

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker