We have a fairly customized centos 5.3 distribution, but I know of nothing that would cause the behavior I'm seeing. We don't use iptables or ipsec, secmark is enabled in the kernel. I get avc denied messages for packets that almost certainly do exist, but the targets almost never make sense (at least to me), things like ls_exec_t, lib_t, and other seemingly random types. Thoughts?
avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 src=22 daddr=172.27.134.1 dest=40428 netif=eth0 scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=packet
-b
On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote:
We have a fairly customized centos 5.3 distribution, but I know of nothing that would cause the behavior I'm seeing. We don't use iptables or ipsec, secmark is enabled in the kernel. I get avc denied messages for packets that almost certainly do exist, but the targets almost never make sense (at least to me), things like ls_exec_t, lib_t, and other seemingly random types. Thoughts?
avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 src=22 daddr=172.27.134.1 dest=40428 netif=eth0 scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=packet
If you haven't configured iptables to mark packets with those contexts, then you shouldn't get any such denials.
So either you have a weird iptables configuration or you have a kernel bug.
What kernel are you using?
2.6.18, with some custom kernel modules -- there is an off chance that they are interacting, but I doubt it.
-b
On Wed, Jun 17, 2009 at 12:47 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote:
We have a fairly customized centos 5.3 distribution, but I know of nothing that would cause the behavior I'm seeing. We don't use iptables or ipsec, secmark is enabled in the kernel. I get avc denied messages for packets that almost certainly do exist, but the targets almost never make sense (at least to me), things like ls_exec_t, lib_t, and other seemingly random types. Thoughts?
avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 src=22 daddr=172.27.134.1 dest=40428 netif=eth0 scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=packet
If you haven't configured iptables to mark packets with those contexts, then you shouldn't get any such denials.
So either you have a weird iptables configuration or you have a kernel bug.
What kernel are you using?
-- Stephen Smalley National Security Agency
On Wed, 2009-06-17 at 14:21 -0700, brian retford wrote:
2.6.18, with some custom kernel modules -- there is an off chance that they are interacting, but I doubt it.
Well, you have some kind of kernel bug, whether it lies in those custom kernel modules or elsewhere I don't know. Obviously removing those custom kernel modules and re-testing would help eliminate them as possible causes.
-b
On Wed, Jun 17, 2009 at 12:47 PM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote: > We have a fairly customized centos 5.3 distribution, but I know of > nothing that would cause the behavior I'm seeing. We don't use > iptables or ipsec, secmark is enabled in the kernel. I get avc denied > messages for packets that almost certainly do exist, but the targets > almost never make sense (at least to me), things like ls_exec_t, > lib_t, and other seemingly random types. Thoughts? > > avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 > src=22 daddr=172.27.134.1 dest=40428 netif=eth0 > scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:lib_t:s0 tclass=packet If you haven't configured iptables to mark packets with those contexts, then you shouldn't get any such denials. So either you have a weird iptables configuration or you have a kernel bug. What kernel are you using? -- Stephen Smalley National Security Agency
selinux@lists.fedoraproject.org