rawhide report: 20060115 changes
Stephen Smalley
sds at tycho.nsa.gov
Tue Jan 17 16:04:35 UTC 2006
On Tue, 2006-01-17 at 10:51 -0500, Daniel J Walsh wrote:
> Erwin Rol wrote:
> > On Sun, 2006-01-15 at 03:51 -0500, Build System wrote:
> >
> >
> >> kernel-2.6.15-1.1854_FC5
> >> ------------------------
> >>
> >
> > With this and the previous kernel i get a whole bunch of selinux
> > "errors"
> >
> > Jan 15 14:33:18 xpc kernel: audit(1137331983.110:16): avc: denied { sendto } for scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=association
> > Jan 15 14:33:18 xpc init: Switching to runlevel: 6
> > Jan 15 14:33:18 xpc kernel: audit(1137331983.414:17): avc: denied { sendto } for scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=association
> > Jan 15 14:33:18 xpc kernel: audit(1137331983.438:18): avc: denied { sendto } for pid=2142 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association
> >
> >
> This indicates some kind of object (File system?) that SELinux does not
> know about so it is unlabled_t.
No, these are the new IPSEC controls introduced by IBM; in the absence
of a labeled IPSEC SA, there is a check against the unlabeled SID to
control the ability to send and receive unprotected network traffic.
Latest policy should include rules for this.
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list