strange avc with racoon under f-11 mls

Xavier Toth txtoth at gmail.com
Thu Oct 15 13:27:40 UTC 2009 

On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys
<joshua.roys at gtri.gatech.edu> wrote:
> On 10/14/2009 03:42 PM, Daniel J Walsh wrote:
>>
>> On 10/14/2009 01:30 PM, Joshua Roys wrote:
>>>
>>> avc:  denied  { recv } for  saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500
>>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
>>>
>>> On IRC it was mentioned the tcontext=...:s15:... could be an issue...?
>>>
>> Did you run the AVC through audit2why?
>
> It said: Policy constraint violation.
>
> Looking at policy/mls, I see this:
> # the peer/packet recv op
> mlsconstrain { peer packet } { recv }
>        (( l1 dom l2 ) or
>         (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
>         ( t1 == mlsnetread ));
>
> And here are our contexts:
> scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023
>
> According to:
> http://www.patrickmcdaniel.org/pubs/sacmat07.pdf
> the mlsconstrain above expands to:
>
> subject = system_u:system_r:racoon_t:s0-s15:c0.c1023
> object = system_u:object_r:unlabeled_t:s15-s15:c0.c1023
> l1 dom l2 = opl(dom, getl(subject), getl(object))
>          = opl(dom, s0, s15)
>          = FALSE
>
> mlsnetreadtoclr appears to only be granted via:
> policy/modules/kernel/mls.if: mls_socket_read_to_clearance
> which is not granted to racoon_t
>
> and mlsnetread:
> policy/modules/kernel/mls.if: mls_socket_read_all_levels
> which is also not given to racoon_t.
>
> mlsconstrain { peer packet } { recv }
>        (( FALSE ) or
>         (( FALSE ) and ( h1 dom l2 )) or
>         ( FALSE ));
>
> So, does anyone have a pointer to why my traffic is coming in at s15? Or any
> other advice would be appreciated!
>
> Thanks for your help so far,
>
> --
> Josh
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

What do your SA's look like (/etc/racoon/key.conf)?

More information about the fedora-selinux-list mailing list