ping problems.

All of lore.kernel.org
 help / color / mirror / Atom feed

* ping problems.
@ 2003-03-22 20:45 Kurt Roeckx
  2003-03-22 23:38 ` Russell Coker
  0 siblings, 1 reply; 2+ messages in thread
From: Kurt Roeckx @ 2003-03-22 20:45 UTC (permalink / raw)
  To: selinux

ping6 doesn't seem to work to work when pinging localhost (::1).
It does work in case I ping a remote host however.

I get this error:
avc:  denied  { recvfrom } for  pid=1631 exe=/bin/ping6 netif=lo
scontext=kurt:sysadm_r:ping_t tcontext=system_u:system_r:kernel_t
tclass=rawip_socket

I think the tclass should be icmp_socket_t instead, for which is
has permission to use recvfrom.

Then there is a problem for both ping and ping6 if you try to use
the -I parameter.  You get:

avc:  denied  { ioctl } for  pid=1641 exe=/bin/ping6
path=socket:[8429] dev=00:00 ino=8429
scontext=kurt:sysadm_r:ping_t tcontext=kurt:sysadm_r:ping_t
tclass=rawip_socket

avc:  denied  { ioctl } for  pid=1647 exe=/bin/ping
path=socket:[8439] dev=00:00 ino=8439
scontext=kurt:sysadm_r:ping_t tcontext=kurt:sysadm_r:ping_t
tclass=rawip_socket


Kurt


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: ping problems.
  2003-03-22 20:45 ping problems Kurt Roeckx
@ 2003-03-22 23:38 ` Russell Coker
  0 siblings, 0 replies; 2+ messages in thread
From: Russell Coker @ 2003-03-22 23:38 UTC (permalink / raw)
  To: Kurt Roeckx, selinux

On Sat, 22 Mar 2003 21:45, Kurt Roeckx wrote:
> avc:  denied  { ioctl } for  pid=1641 exe=/bin/ping6
> path=socket:[8429] dev=00:00 ino=8429
> scontext=kurt:sysadm_r:ping_t tcontext=kurt:sysadm_r:ping_t
> tclass=rawip_socket

If the following rule is added:
allow ping_t self:rawip_socket create_socket_perms;

Then it'll add the ioctl access, plus the following:
getattr setattr append connect shutdown

I think that those 5 accesses are ok and using the macro allows a simpler rule 
which is a benefit.

I've added the ioctl to my tree for the moment, I'll probably change to the 
macro later.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-03-22 23:38 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-22 20:45 ping problems Kurt Roeckx
2003-03-22 23:38 ` Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.