View Issue Details

IDProjectCategoryView StatusLast Update
0014370CentOS-7selinux-policypublic2018-01-12 20:28
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7.4
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014370: Strongswan-swanctl.service can't start because it can't read /etc/strongswan/swanctl/swanctl.conf and others
DescriptionStrongswan can't start. auditd.log doesn't yell anything.
semodule -DB reveals why

type=AVC msg=audit(1515777284.669:5844): avc: denied { search } for pid=21256 comm="swanctl" name="strongswan" dev="dm-0" ino=17089668 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir


type=AVC msg=audit(1515777506.800:5863): avc: denied { read } for pid=21306 comm="swanctl" name="charon" dev="dm-0" ino=25628118 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=dir

and for other dirs there.

Creating a policy to allow search works for me since all I need is swanctl.conf

allow ipsec_mgmt_t ipsec_conf_file_t:dir search;

Steps To ReproduceCreate a swanctl.conf in /etc/strongswan/swanctl/swanctl.conf
Try to start strongswan-swanctl.service.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2018-01-12 20:28 d3xt3r01 New Issue