AVC: IPv6 problems

AVC: IPv6 problems

[Stefan Schulze Frielinghaus]

Hello,

periodically I receive the following AVC denial:

audit(1179815459.477:213): avc:  denied  { rawip_send } for   
saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX  
daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0  
scontext=system_u:system_r:kernel_t:s15:c0.c255  
tcontext=system_u:object_r:link_local_node_t:s0 tclass=node

My local rule-set:

allow kernel_t link_local_node_t:node rawip_send;
# another AVC denial which often raises up
allow kernel_t compat_ipv4_node_t:node rawip_send;

The rules seem to be ignored. Every day I receive some of the  
mentioned AVC denials despite the fact that the TE rules are loaded.  
Is this a known problem with IPv6 traffic in LANs? Is there even a  
solution out?

Best regards,
Stefan

PS: I'm using Debian (etch) with refpolicy-20061212.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC: IPv6 problems

[Paul Moore]

On Tuesday, May 22 2007 2:22:09 pm Stefan Schulze Frielinghaus wrote:
> periodically I receive the following AVC denial:
>
> audit(1179815459.477:213): avc:  denied  { rawip_send } for
> saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX
> daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0
> scontext=system_u:system_r:kernel_t:s15:c0.c255
> tcontext=system_u:object_r:link_local_node_t:s0 tclass=node
>
> My local rule-set:
>
> allow kernel_t link_local_node_t:node rawip_send;
> # another AVC denial which often raises up
> allow kernel_t compat_ipv4_node_t:node rawip_send;
>
> The rules seem to be ignored. Every day I receive some of the
> mentioned AVC denials despite the fact that the TE rules are loaded.
> Is this a known problem with IPv6 traffic in LANs? Is there even a
> solution out?

The problem doesn't appear to be related to the TE rules, but rather with the 
MLS sensitivity labels.  The kernel is running with a very high sensitivity 
label (s15:c0.c255) and it trying to write/send to a node with a very low 
sensitivity label (s0) which I believe violates the MLS constraints unless 
the kernel_t domain or link_local_node_t object has a type attribute which 
provides MLS overrides.

It's hard to say what the solution is because it most likely depends on what 
you are trying to do.  You might want to share your goals with the list and 
perhaps we can help, otherwise I would recommend you look at the MLS 
reference policy interfaces.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC: IPv6 problems

[Stefan Schulze Frielinghaus]

On 22.05.2007, at 21:24, Paul Moore wrote:

> On Tuesday, May 22 2007 2:22:09 pm Stefan Schulze Frielinghaus wrote:
>> periodically I receive the following AVC denial:
>>
>> audit(1179815459.477:213): avc:  denied  { rawip_send } for
>> saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX
>> daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0
>> scontext=system_u:system_r:kernel_t:s15:c0.c255
>> tcontext=system_u:object_r:link_local_node_t:s0 tclass=node
>>
>> My local rule-set:
>>
>> allow kernel_t link_local_node_t:node rawip_send;
>> # another AVC denial which often raises up
>> allow kernel_t compat_ipv4_node_t:node rawip_send;
>>
>> The rules seem to be ignored. Every day I receive some of the
>> mentioned AVC denials despite the fact that the TE rules are loaded.
>> Is this a known problem with IPv6 traffic in LANs? Is there even a
>> solution out?
>
> The problem doesn't appear to be related to the TE rules, but  
> rather with the
> MLS sensitivity labels.  The kernel is running with a very high  
> sensitivity
> label (s15:c0.c255) and it trying to write/send to a node with a  
> very low
> sensitivity label (s0) which I believe violates the MLS constraints  
> unless
> the kernel_t domain or link_local_node_t object has a type  
> attribute which
> provides MLS overrides.

Whoops your right. I've always only looked at the TE rules but not at  
the MLS rules!

>
> It's hard to say what the solution is because it most likely  
> depends on what
> you are trying to do.  You might want to share your goals with the  
> list and
> perhaps we can help, otherwise I would recommend you look at the MLS
> reference policy interfaces.

That's even hard for me too. I can't reproduce the errors so I don't  
know where and who is producing these errors. The AVC I've posted  
where generated at 2 o'clock am and today I never saw any AVC  
denials. Sometimes they come up periodically and some times only  
sporadically. I will have a look at the denials and when they were  
created maybe I can reproduce the AVCs.
I hoped that this is a problem who someone solved before. But as  
already mentioned I will watch them and try to figure out who is  
creating these denials.

Best regards,
Stefan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC: IPv6 problems

[Daniel J Walsh]

Stefan Schulze Frielinghaus wrote:
>
> On 22.05.2007, at 21:24, Paul Moore wrote:
>
>> On Tuesday, May 22 2007 2:22:09 pm Stefan Schulze Frielinghaus wrote:
>>> periodically I receive the following AVC denial:
>>>
>>> audit(1179815459.477:213): avc:  denied  { rawip_send } for
>>> saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX
>>> daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0
>>> scontext=system_u:system_r:kernel_t:s15:c0.c255
>>> tcontext=system_u:object_r:link_local_node_t:s0 tclass=node
>>>
>>> My local rule-set:
>>>
>>> allow kernel_t link_local_node_t:node rawip_send;
>>> # another AVC denial which often raises up
>>> allow kernel_t compat_ipv4_node_t:node rawip_send;
>>>
>>> The rules seem to be ignored. Every day I receive some of the
>>> mentioned AVC denials despite the fact that the TE rules are loaded.
>>> Is this a known problem with IPv6 traffic in LANs? Is there even a
>>> solution out?
>>
>> The problem doesn't appear to be related to the TE rules, but rather 
>> with the
>> MLS sensitivity labels.  The kernel is running with a very high 
>> sensitivity
>> label (s15:c0.c255) and it trying to write/send to a node with a very 
>> low
>> sensitivity label (s0) which I believe violates the MLS constraints 
>> unless
>> the kernel_t domain or link_local_node_t object has a type attribute 
>> which
>> provides MLS overrides.
>
> Whoops your right. I've always only looked at the TE rules but not at 
> the MLS rules!
>
>>
>> It's hard to say what the solution is because it most likely depends 
>> on what
>> you are trying to do.  You might want to share your goals with the 
>> list and
>> perhaps we can help, otherwise I would recommend you look at the MLS
>> reference policy interfaces.
>
> That's even hard for me too. I can't reproduce the errors so I don't 
> know where and who is producing these errors. The AVC I've posted 
> where generated at 2 o'clock am and today I never saw any AVC denials. 
> Sometimes they come up periodically and some times only sporadically. 
> I will have a look at the denials and when they were created maybe I 
> can reproduce the AVCs.
> I hoped that this is a problem who someone solved before. But as 
> already mentioned I will watch them and try to figure out who is 
> creating these denials.
>
> Best regards,
> Stefan
AVC denials can be caused by one of three things.  Missing TE rules. 
Missing RBAC Rules or violation of constraints.  audit2allow only 
translates TE rules.  audit2why will look at a log file and tell you if 
there is a constraint violation.  If you see SELINUX_ERR you probably 
have a RBAC Failure.
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC: IPv6 problems

[Paul Moore]

On Wednesday, May 23 2007 8:21:27 am Stefan Schulze Frielinghaus wrote:
> On 22.05.2007, at 21:24, Paul Moore wrote:
> > On Tuesday, May 22 2007 2:22:09 pm Stefan Schulze Frielinghaus wrote:
> >> periodically I receive the following AVC denial:
> >>
> >> audit(1179815459.477:213): avc:  denied  { rawip_send } for
> >> saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX
> >> daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0
> >> scontext=system_u:system_r:kernel_t:s15:c0.c255
> >> tcontext=system_u:object_r:link_local_node_t:s0 tclass=node
>
> > It's hard to say what the solution is because it most likely
> > depends on what
> > you are trying to do.  You might want to share your goals with the
> > list and
> > perhaps we can help, otherwise I would recommend you look at the MLS
> > reference policy interfaces.
>
> That's even hard for me too. I can't reproduce the errors so I don't
> know where and who is producing these errors. The AVC I've posted
> where generated at 2 o'clock am and today I never saw any AVC
> denials. Sometimes they come up periodically and some times only
> sporadically. I will have a look at the denials and when they were
> created maybe I can reproduce the AVCs.
> I hoped that this is a problem who someone solved before. But as
> already mentioned I will watch them and try to figure out who is
> creating these denials.

I'll take a guess and say it may be related to IPv6 router advertisements, 
neighbor solicitations, or duplicate address detection but I can't really be 
sure.  It's been a few years since I've done any real work with IPv6 and I'm 
a bit rusty about which class of addresses get used for these things, I 
believe it would be the link local address (what is seen in your AVC denial) 
but I could be wrong.

Do you make use of IPv6 or is it simply enabled on your system?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC: IPv6 problems

[Stefan Schulze Frielinghaus]

On 23.05.2007, at 15:27, Paul Moore wrote:

> On Wednesday, May 23 2007 8:21:27 am Stefan Schulze Frielinghaus  
> wrote:
>> On 22.05.2007, at 21:24, Paul Moore wrote:
>>> On Tuesday, May 22 2007 2:22:09 pm Stefan Schulze Frielinghaus  
>>> wrote:
>>>> periodically I receive the following AVC denial:
>>>>
>>>> audit(1179815459.477:213): avc:  denied  { rawip_send } for
>>>> saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX
>>>> daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0
>>>> scontext=system_u:system_r:kernel_t:s15:c0.c255
>>>> tcontext=system_u:object_r:link_local_node_t:s0 tclass=node
>>
>>> It's hard to say what the solution is because it most likely
>>> depends on what
>>> you are trying to do.  You might want to share your goals with the
>>> list and
>>> perhaps we can help, otherwise I would recommend you look at the MLS
>>> reference policy interfaces.
>>
>> That's even hard for me too. I can't reproduce the errors so I don't
>> know where and who is producing these errors. The AVC I've posted
>> where generated at 2 o'clock am and today I never saw any AVC
>> denials. Sometimes they come up periodically and some times only
>> sporadically. I will have a look at the denials and when they were
>> created maybe I can reproduce the AVCs.
>> I hoped that this is a problem who someone solved before. But as
>> already mentioned I will watch them and try to figure out who is
>> creating these denials.
>
> I'll take a guess and say it may be related to IPv6 router  
> advertisements,
> neighbor solicitations, or duplicate address detection but I can't  
> really be
> sure.  It's been a few years since I've done any real work with  
> IPv6 and I'm
> a bit rusty about which class of addresses get used for these  
> things, I
> believe it would be the link local address (what is seen in your  
> AVC denial)
> but I could be wrong.

Yes it's a link local address. SELinux is running on a central server  
machine
which also runs a RADVD daemon for "IPv6 DHCP like behaviour". The
last two days no AVC errors where created. So I will have to wait  
until a new
one comes up and maybe I will find the error.

I also guess that it's a RA, NS or DAD because you will only use link  
local
addresses for maintenance.

> Do you make use of IPv6 or is it simply enabled on your system?

Nearly all of my intranet traffic is IPv6. I really use that.


Best regards,
Stefan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: AVC: IPv6 problems

[Paul Moore]

On Thursday, May 24 2007 1:04:09 am Stefan Schulze Frielinghaus wrote:
> On 23.05.2007, at 15:27, Paul Moore wrote:
> > On Wednesday, May 23 2007 8:21:27 am Stefan Schulze Frielinghaus
> >
> > wrote:
> >> On 22.05.2007, at 21:24, Paul Moore wrote:
> >>> On Tuesday, May 22 2007 2:22:09 pm Stefan Schulze Frielinghaus
> >>>
> >>> wrote:
> >>>> periodically I receive the following AVC denial:
> >>>>
> >>>> audit(1179815459.477:213): avc:  denied  { rawip_send } for
> >>>> saddr=fe80:0000:0000:0000:0211:d8ff:feea:XXXX
> >>>> daddr=fe80:0000:0000:0000:0211:24ff:fee1:YYYY netif=eth0
> >>>> scontext=system_u:system_r:kernel_t:s15:c0.c255
> >>>> tcontext=system_u:object_r:link_local_node_t:s0 tclass=node
> >>>
> >>> It's hard to say what the solution is because it most likely
> >>> depends on what
> >>> you are trying to do.  You might want to share your goals with the
> >>> list and
> >>> perhaps we can help, otherwise I would recommend you look at the MLS
> >>> reference policy interfaces.

Assuming you are not trying to enforce MLS access controls across the network 
using link_local_node_t you could always make it a trusted object:

 # this interface is defined in the mls.if file in reference policy
 mls_trusted_object(link_local_node_t)

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.