[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rawhide report: 20060115 changes



On Tue, 2006-01-17 at 10:51 -0500, Daniel J Walsh wrote:
> Erwin Rol wrote:
> > On Sun, 2006-01-15 at 03:51 -0500, Build System wrote:
> >
> >   
> >> kernel-2.6.15-1.1854_FC5
> >> ------------------------
> >>     
> >
> > With this and the previous kernel i get a whole bunch of selinux
> > "errors"
> >
> > Jan 15 14:33:18 xpc kernel: audit(1137331983.110:16): avc:  denied  { sendto } for  scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=association
> > Jan 15 14:33:18 xpc init: Switching to runlevel: 6
> > Jan 15 14:33:18 xpc kernel: audit(1137331983.414:17): avc:  denied  { sendto } for  scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=association
> > Jan 15 14:33:18 xpc kernel: audit(1137331983.438:18): avc:  denied  { sendto } for  pid=2142 comm="rpc.statd" scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:unlabeled_t tclass=association
> >
> >   
> This indicates some kind of object (File system?) that SELinux does not 
> know about so it is unlabled_t.

No, these are the new IPSEC controls introduced by IBM; in the absence
of a labeled IPSEC SA, there is a check against the unlabeled SID to
control the ability to send and receive unprotected network traffic.
Latest policy should include rules for this.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]