fedora-selinux June 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: bizarre packet labelings

Re: bizarre packet labelings

From: Stephen Smalley <sds_at_nospam>
Date: Thu Jun 18 2009 - 12:33:11 GMT
To: brian retford <bretford@gmail.com>


On Wed, 2009-06-17 at 14:21 -0700, brian retford wrote:
> 2.6.18, with some custom kernel modules -- there is an off chance that
> they are interacting, but I doubt it.

Well, you have some kind of kernel bug, whether it lies in those custom kernel modules or elsewhere I don't know. Obviously removing those custom kernel modules and re-testing would help eliminate them as possible causes.

> -b
>
> On Wed, Jun 17, 2009 at 12:47 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>
> On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote:
> > We have a fairly customized centos 5.3 distribution, but I
> know of
> > nothing that would cause the behavior I'm seeing. We don't
> use
> > iptables or ipsec, secmark is enabled in the kernel. I get
> avc denied
> > messages for packets that almost certainly do exist, but the
> targets
> > almost never make sense (at least to me), things like
> ls_exec_t,
> > lib_t, and other seemingly random types. Thoughts?
> >
> > avc: denied { send } for pid=3202 comm="sshd"
> saddr=172.27.13.41
> > src=22 daddr=172.27.134.1 dest=40428 netif=eth0
> > scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:lib_t:s0 tclass=packet
>
>
> If you haven't configured iptables to mark packets with those
> contexts,
> then you shouldn't get any such denials.
>
> So either you have a weird iptables configuration or you have
> a kernel
> bug.
>
> What kernel are you using?
>
> --
> Stephen Smalley
> National Security Agency
>
>
-- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list