From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <557F0974.4080109@tycho.nsa.gov> Date: Mon, 15 Jun 2015 13:20:52 -0400 From: Stephen Smalley MIME-Version: 1.0 To: Tim Shearer , "selinux@tycho.nsa.gov" , Paul Moore Subject: Re: Kernel error: SELinux: Invalid class 0 References: <33526A3108217C45B7DAFFA5277E4B67118AF1B3@mbx024-e1-nj-2.exch024.domain.local> <557F004B.8090703@tycho.nsa.gov> In-Reply-To: <557F004B.8090703@tycho.nsa.gov> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 06/15/2015 12:41 PM, Stephen Smalley wrote: > On 06/12/2015 01:48 PM, Tim Shearer wrote: >> Hi all, >> >> >> >> Environment: CentOS 7, with either stock 3.10 kernel, or custom 3.19 kernel. >> >> >> >> I’m getting a AVC denial message in the audit logs that corresponds to >> the opening of a TIPC socket (AF_TIPC). The denial is seems valid, and >> is triggered by a custom C++ application that hasn’t yet been assigned >> an appropriate security context. The problem I’m having is that the AVC >> message is garbled (non-ASCII data in the denied and tclass fields), >> which makes it difficult to assemble a new policy: >> >> >> >> ---- >> >> type=AVC msg=audit(1434126658.487:34500): avc: denied { >> *garbage_characters* } for pid=292 comm="kworker/u16:5" >> scontext=system_u:system_r:kernel_t:s0 >> tcontext=system_u:object_r:unlabeled_t:s0 tclass=*garbage_characters* >> permissive=0 >> >> ---- >> >> >> >> This corresponds to a kernel error that shows up in the debuglog: >> >> SELinux: Invalid class 0 > > This suggests that the tipc kernel module is creating a socket in some > manner without initializing its security state. > > Can you provide a reproducer program that triggers the error? Looks to me as if tipc_accept() never calls sock_graft() or security_sk_clone() so it will never initialize the security state of the new sock. Kernel bug.