Friday, July 22, 2011

selinux, ipsec-tools and '/etc/racoon/racoon.conf'

The racoon daemon failed to start, and this message was logged:

# grep denied /var/log/messages
Jul 21 17:57:56 hexgate kernel: type=1400 audit(1311267452.973:4): avc: denied { getattr } for pid=2412 comm="racoon" path="/etc/racoon/racoon.conf" dev=md0 ino=1401757 scontext=system_u:system_r:racoon_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file

So I guess I had got the wrong security context on the file. To fix it, I did this:

# ls -lZ /etc/racoon/racoon.conf
-rw------- root root root:object_r:user_home_t /etc/racoon/racoon.conf
#
# restorecon -v /etc/racoon/racoon.conf
restorecon reset /etc/racoon/racoon.conf context root:object_r:user_home_t:s0->system_u:object_r:ipsec_conf_file_t:s0
#
# ls -lZ /etc/racoon/racoon.conf
-rw------- root root system_u:object_r:ipsec_conf_file_t /etc/racoon/racoon.conf
#

..and then racoon started Ok.
So what other file security context could be relevant to racoon:

# grep racoon /etc/selinux/targeted/contexts/files//file_contexts
/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t:s0
/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t:s0
/var/run/racoon.pid -- system_u:object_r:ipsec_var_run_t:s0
/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t:s0
/usr/sbin/racoon -- system_u:object_r:racoon_exec_t:s0
/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t:s0
#

By the way, this was on the following system:

# cat /etc/redhat-release
CentOS release 5.5 (Final)
#
# rpm -qa | grep selinux-policy
selinux-policy-2.4.6-279.el5_5.2
selinux-policy-targeted-2.4.6-279.el5_5.2