tcp_send errors

tcp_send errors

[Timothy Wood]

I have the latest lsm (as per the NSA site) installed on a fresh RH8.0
install and I am getting errors trying to forward packets through it. 
Is there something I need to change in the policy to premit forwarding
or is this just a RH8.0 problem not present in the 7.X versions? I do
not have the exact errors since the ssh apparently isn't working
properly, but they were tcp_send errors and I can provide those later.  

Also I have four interfaces and I'm thinking I remember there being a
problem with more than two, so is this still a problem?

Lastly I've noticed a few others having trouble with RH8.0 and I have a
whole lot more problems than I did with a RH7.3 machine so my question
is does anyone have other distros they are running SELinux on and like
how it is working out?  Russell I know you are doing lots of good for
debian, but what about others? Mandrake? Slackware? etc. etc.?

Timothy,




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tcp_send errors

[Russell Coker]

On Tue, 3 Dec 2002 15:40, Timothy Wood wrote:
> Lastly I've noticed a few others having trouble with RH8.0 and I have a
> whole lot more problems than I did with a RH7.3 machine so my question
> is does anyone have other distros they are running SELinux on and like
> how it is working out?  Russell I know you are doing lots of good for
> debian, but what about others? Mandrake? Slackware? etc. etc.?

I could always build packages for other distributions too if someone wants to 
pay me to do it.  I've got the time to build packages for RH, Mandrake, and 
Slackware if there are people who want to pay.

Anyone who's interested can contact me off-list.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: tcp_send errors

[Stephen D. Smalley]

> I have the latest lsm (as per the NSA site) installed on a fresh RH8.0
> install and I am getting errors trying to forward packets through it. 
> Is there something I need to change in the policy to premit forwarding
> or is this just a RH8.0 problem not present in the 7.X versions? I do
> not have the exact errors since the ssh apparently isn't working
> properly, but they were tcp_send errors and I can provide those later.  
> 
> Also I have four interfaces and I'm thinking I remember there being a
> problem with more than two, so is this still a problem?

This should just be a policy configuration issue, and shouldn't be
different for RH8.0.  You need to allow the tcp_send permission
between the appropriate netmsg_* type and the appropriate netif_* type
in policy/types/network.te to forward the packet.  The example policy only 
defines types and contexts for eth[0-2], so you'll need to define additional 
types and contexts in policy/types/network.te and policy/net_contexts if you 
want to distinguish each interface in your policy.  Or, if you don't care
to use SELinux to separate the interfaces, you can remove all of the
eth[0-2] entries, in which case they will all map to netif_t for the
interface and netmsg_t for packets received on the interface.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.