Evegeniy, Please start with my patch which should actually address the issue you were originally running into. I doubt that you were running into the kind of errors that James' patch (which will need to be modified to not treat -EACCES as an error to be propagated up the chain) would handle.
Thanks, venkat > -----Original Message----- > From: James Morris [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 04, 2006 8:00 AM > To: Evgeniy Polyakov > Cc: David S. Miller; Herbert Xu; netdev@vger.kernel.org; Stephen > Smalley; Venkat Yekkirala; Paul Moore; Daniel J Walsh > Subject: Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 > > > On Wed, 4 Oct 2006, Evgeniy Polyakov wrote: > > > Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 > i686 i386 GNU/Linux > > [EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted > > selinux-policy-targeted-2.3.17-2 > > > > I get only this messages in audit.log when remote racoon tries to > > connect to system with selinux enabled in enforcing mode: > > > > I think the policy has just not been written for racoon, and > it's being > denied by deault (cd'd Dan Walsh). > > > type=AVC msg=audit(1159938297.845:625): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association > > type=AVC msg=audit(1159938297.845:626): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > type=AVC msg=audit(1159938307.837:627): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > type=AVC msg=audit(1159938317.838:628): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > type=AVC msg=audit(1159938327.839:629): avc: denied { > polmatch } for > > scontext=system_u:object_r:unlabeled_t:s0 > > tcontext=system_u:object_r:unlabeled_t:s0 tclass=association > > > > It is with your patch applied. > > Should I try Venkat's or it is unrelated problem? > > > > > -- > > > James Morris > > > <[EMAIL PROTECTED]> > > > > > > -- > James Morris > <[EMAIL PROTECTED]> > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
