On Mon, 2 Oct 2006, Evgeniy Polyakov wrote:
> > Can you look in /var/log/audit/audit.log ? (especially grep for
> > 'association' )
>
> Indeed.
>
> type=AVC msg=audit(1159804556.391:21): avc: denied { polmatch } for
> pid=2213 comm="racoon" scontext=root:system_r:unconfined_t:s0-s0:c0.c255
> tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
Ok, that's it.
> But then it is quite strange why FC5 2.6.17-1.2187_FC5smp works,
> are there some bindings to the kernel version?
> (my knowledge about selinux changes related to xfrm are somewhere
> between zero and void).
The SELinux policy is loosely bound to the kernel version. Generally, if
you run development kernels, you need development SELinux policy.
> > What version of SELinux policy are you using?
> >
> > i.e. $ rpm -q selinux-policy-targeted
>
> selinux-policy-targeted-2.3.7-2.fc5
Yep, that's ancient.
> I run it every day in cron and there are no updates at
>
> http://download.fedora.redhat.com/pub/fedora/linux/core/updates/5/i386/
>
> behind my version.
You can get recent policy packages via the devel repo, which I'd suggest
if you're using development (or DIY) kernels.
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
