I want to store the logs from openswan into a different file ( /var/log/ipsec ) than the default. For this purpose I added
plutostderrlog=/var/log/ipsec
to ipsec.conf.
As long as I keep the server in permissive mode, openswan starts OK. If, however, I switch to enforcing, the daemon refuses to start with the following error message displayed in the console:
ipsec_setup: Starting Openswan IPsec U2.6.32/K3.0.78-1.el6.elrepo.x86_64...
ipsec_setup: Cannot write to "/var/log/ipsec".
The audit log does not record anything useful so I tried to switch dontaudit to off and see if anything useful comes out. After running audit2allow and a bit of trial and error I came out with the following custom policy :
module myipsec 1.0;
require {
type ipsec_t;
type var_log_t;
class file { write ioctl getattr append };
}
#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t var_log_t:file write;
The above policy worked for me but I am wondering if it is OK
The problem is the administrator decided to add policy that allows ipsec_mgmt_t to write any file labeled var_log_t. A hacked ipsec_mgmt could now overwrite any log file on the system labeled var_log_t, including /var/log/messages. var_log_t is the default label for ANY file in /var/log directory that does not have SELinux policy controlling it. Also remember "write" access is always more dangerous then "append" access, since "write" allows you to truncate a file, destroying evidence, versus append to the end of a file.
In the paper I wrote a few years ago,
What is SELinux trying to tell me?
The 4 key causes of SELinux errors.
I explain that adding policy should be your third option, not your first. In this case Dominic Grift pointed out the admin, that changing the label of the target would fix the problem and not involve adding custom policy.
semanage fcontext -a -t ipsec_log_t "/var/log/ipsec.*"
restorecon -v /var/log/ipsec
By telling SELinux that the content in the /var/log/ipsec log file was ipsec_log_t, you solve your problem and end up with the same security you had before the change.
Think Labels First...
Can I suggest a small correction?
Because lord knows, often enough the answer is 'yes'.