[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fwd: Re: Access attempts]



Stephen Smalley wrote:
On Wed, 2007-01-17 at 13:32 -0700, Ken wrote:
  
I just realized I sent this to myself instead of to the list...

-------- Original Message --------  
                          Subject: 
Re: Access attempts
                             Date: 
Fri, 12 Jan 2007 17:13:13 -0700
                             From: 
Ken <mantaray_1 cox net>
                               To: 
Ken <mantaray_1 cox net>
                       References: 
<45A81E60 9020409 cox net>


Ken wrote:
    
I was hoping someone could help me to understand what might be 
happening to trigger the access attempts I am blocking with my policy 
which are listed below.  They only seem to appear when I am logged in 
to the "Blackboard" program at the university I attend.  I have 
already taken several steps to limit what my browser can do, and I do 
not understand how it can trigger such attempts.
**********************
**********************
Jan 11 15:39:17 schoolhost kernel: audit(1168555157.756:587): avc:  
denied  { rawip_send } for  saddr=192.168.0.2 src="" 
daddr=129.219.10.40 dest=443 netif=eth0 
scontext=system_u:system_r:kernel_t:s15:c0.c255 
tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif

Jan 11 15:39:17 schoolhost kernel: audit(1168555157.992:588): avc:  
denied  { rawip_send } for  saddr=192.168.0.2 src="" 
daddr=129.219.10.40 dest=443 netif=eth0 
scontext=system_u:system_r:kernel_t:s15:c0.c255 
tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif

Jan 11 15:39:18 schoolhost kernel: audit(1168555158.212:590): avc:  
denied  { rawip_send } for  saddr=192.168.0.2 src="" 
daddr=129.219.10.30 dest=443 netif=eth0 
scontext=system_u:system_r:kernel_t:s15:c0.c255 
tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif

Jan 11 15:39:19 schoolhost kernel: audit(1168555159.433:600): avc:  
denied  { rawip_send } for  pid=2465 comm="X" saddr=192.168.0.2 
src="" daddr=129.219.10.40 dest=443 netif=eth0 
scontext=system_u:system_r:kernel_t:s15:c0.c255 
tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
**********************
**********************

Thanks in advance,
Ken.

-- 
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

      
I just noticed that I sent the wrong part of the log.   I accidentally 
removed this from the previous post instead of the repeated messages:

************
************
Jan 11 15:39:18 schoolhost kernel: audit(1168555158.481:593): avc:  
denied  { rawip_send } for  pid=417 comm="kjournald" saddr=192.168.0.2 
src="" daddr=129.219.10.30 dest=443 netif=eth0 
scontext=system_u:system_r:kernel_t:s15:c0.c255 
tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
************
************

My concern is that somehow the browser seems to be able to entice other 
running processes, such as "X" and "kjournald" to attempt Internet access.
    

No, the avc message is just misleading.  The pid/comm information for
network layer permission checks is unreliable because the packet
send/recv isn't necessarily happening in the context of the process that
initiated the send or that will handle the recv.  Note in particular the
use of kernel_t in the scontext; that is a kernel socket, e.g. ICMP
traffic.

  
Thanks for the information.

-Ken-

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]