FC6T1 avc denied messages

Jay Cliburn jacliburn at bellsouth.net
Tue Jun 27 02:07:17 UTC 2006


On Sun, 2006-06-25 at 20:17 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
> > I relabeled with:
> > setfiles /etc/selinux/targeted/contexts/files/file_contexts /
> > but the problem persists.
> 
> That's not the problem...  This is the SECMARK stuff for packet labelling.
> 
> > [root at gadwall etc]# grep "avc:  denied" /var/log/messages | more
> 
> > Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc:  denied  { send } for  pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> 
> "Oh, bother", said Pooh, as he chambered another round...

Excellent juxtaposition of sweetness and malice!

>  
> 
> Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
> 
> http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball.
> Note that parts of this have already made it upstream (for example, the patch
> to serefpolicy is upstreamed already, and the kernel parts are in Linus's
> tree already.  I did have to patch iptables though, and add a rc.d script
> to set it up during boot...
> 
> I've appended a writeup James Morris did on Secmark 1.1, which gives some hints
> of how to set it up.
> 
> Is all of this on track to be included in FC6?  And in particular, how
> is the rc.d scripting planned to work?
> email message attachment, "forwarded message"
> > -------- Forwarded Message --------
> > From: James Morris <jmorris at namei.org>
> > To: selinux at tycho.nsa.gov
> > Cc: netdev at vger.kernel.org, netfilter-devel at lists.netfilter.org,
> > Stephen Smalley <sds at tycho.nsa.gov>, Daniel J Walsh
> > <dwalsh at redhat.com>, Karl MacMillan <kmacmillan at tresys.com>, Patrick
> > McHardy <kaber at trash.net>, David S. Miller <davem at davemloft.net>,
> > Thomas Bleher <bleher at informatik.uni-muenchen.de>
> > Subject: [RFC] SECMARK 1.1
> > Date: Sun, 14 May 2006 02:03:31 -0400 (EDT)
> > 

--snip--

Enforcing mode in FC6T1 currently prevents certain network traffic, so
I've gone to Permissive as a workaround.  I'm a bit of a neophyte when
it comes to SELinux.  Shall I presume ya'll know how to fix this and I
should just wait quietly for the fix to trickle down to me?

Thanks,
Jay




More information about the fedora-selinux-list mailing list