* network packets have become unlabeled_t
@ 2006-04-21 17:29 Antoine Martin
2006-04-21 18:11 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Antoine Martin @ 2006-04-21 17:29 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 838 bytes --]
Hi list,
Using recent kernels (started around 2.6.16) I can't use the network in
enforcing mode because all the packets (in and out) are unlabeled.
ie with ssh:
audit(1145733148.799:164): avc: denied { recvfrom } for
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t
tclass=association
audit2allow would like me to add:
allow mysqld_t unlabeled_t:association { recvfrom sendto };
allow named_t unlabeled_t:association { recvfrom sendto };
allow sshd_t unlabeled_t:association { recvfrom sendto };
(and so on)
Where is this coming from? Have I missed an option for labeling network
interfaces? If so, where? SECURITY_NETWORK is set.
I have done make clean; make reload;
policy.conf does contain things like:
type ssh_port_t, port_type, reserved_port_type;
I'm stuck.
Thanks
Antoine
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: network packets have become unlabeled_t
2006-04-21 17:29 network packets have become unlabeled_t Antoine Martin
@ 2006-04-21 18:11 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2006-04-21 18:11 UTC (permalink / raw)
To: Antoine Martin; +Cc: SE Linux
On Fri, 2006-04-21 at 18:29 +0100, Antoine Martin wrote:
> Hi list,
>
> Using recent kernels (started around 2.6.16) I can't use the network in
> enforcing mode because all the packets (in and out) are unlabeled.
> ie with ssh:
> audit(1145733148.799:164): avc: denied { recvfrom } for
> scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unlabeled_t
> tclass=association
>
> audit2allow would like me to add:
> allow mysqld_t unlabeled_t:association { recvfrom sendto };
> allow named_t unlabeled_t:association { recvfrom sendto };
> allow sshd_t unlabeled_t:association { recvfrom sendto };
> (and so on)
>
> Where is this coming from? Have I missed an option for labeling network
> interfaces? If so, where? SECURITY_NETWORK is set.
>
> I have done make clean; make reload;
> policy.conf does contain things like:
> type ssh_port_t, port_type, reserved_port_type;
>
> I'm stuck.
The integration with IPSEC to support implicit labeling of packets based
on security association introduced new checks on sending and receiving
of packets so that you can e.g. prohibit sending/receiving of unlabeled
traffic. Newer policies include rules to allow this.
Your other option is to disable the CONFIG_SECURITY_NETWORK_XFRM option
in your kernel config, to disable that processing.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-04-21 18:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-04-21 17:29 network packets have become unlabeled_t Antoine Martin
2006-04-21 18:11 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.