[Fwd: Re: Access attempts]

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 18 14:38:08 UTC 2007


On Wed, 2007-01-17 at 13:32 -0700, Ken wrote:
> I just realized I sent this to myself instead of to the list...
> 
> -------- Original Message --------  
>                           Subject: 
> Re: Access attempts
>                              Date: 
> Fri, 12 Jan 2007 17:13:13 -0700
>                              From: 
> Ken <mantaray_1 at cox.net>
>                                To: 
> Ken <mantaray_1 at cox.net>
>                        References: 
> <45A81E60.9020409 at cox.net>
> 
> 
> Ken wrote:
> > I was hoping someone could help me to understand what might be 
> > happening to trigger the access attempts I am blocking with my policy 
> > which are listed below.  They only seem to appear when I am logged in 
> > to the "Blackboard" program at the university I attend.  I have 
> > already taken several steps to limit what my browser can do, and I do 
> > not understand how it can trigger such attempts.
> > **********************
> > **********************
> > Jan 11 15:39:17 schoolhost kernel: audit(1168555157.756:587): avc:  
> > denied  { rawip_send } for  saddr=192.168.0.2 src=60945 
> > daddr=129.219.10.40 dest=443 netif=eth0 
> > scontext=system_u:system_r:kernel_t:s15:c0.c255 
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> >
> > Jan 11 15:39:17 schoolhost kernel: audit(1168555157.992:588): avc:  
> > denied  { rawip_send } for  saddr=192.168.0.2 src=60945 
> > daddr=129.219.10.40 dest=443 netif=eth0 
> > scontext=system_u:system_r:kernel_t:s15:c0.c255 
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> >
> > Jan 11 15:39:18 schoolhost kernel: audit(1168555158.212:590): avc:  
> > denied  { rawip_send } for  saddr=192.168.0.2 src=45910 
> > daddr=129.219.10.30 dest=443 netif=eth0 
> > scontext=system_u:system_r:kernel_t:s15:c0.c255 
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> >
> > Jan 11 15:39:19 schoolhost kernel: audit(1168555159.433:600): avc:  
> > denied  { rawip_send } for  pid=2465 comm="X" saddr=192.168.0.2 
> > src=60945 daddr=129.219.10.40 dest=443 netif=eth0 
> > scontext=system_u:system_r:kernel_t:s15:c0.c255 
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> > **********************
> > **********************
> >
> > Thanks in advance,
> > Ken.
> >
> > -- 
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> I just noticed that I sent the wrong part of the log.   I accidentally 
> removed this from the previous post instead of the repeated messages:
> 
> ************
> ************
> Jan 11 15:39:18 schoolhost kernel: audit(1168555158.481:593): avc:  
> denied  { rawip_send } for  pid=417 comm="kjournald" saddr=192.168.0.2 
> src=45910 daddr=129.219.10.30 dest=443 netif=eth0 
> scontext=system_u:system_r:kernel_t:s15:c0.c255 
> tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> ************
> ************
> 
> My concern is that somehow the browser seems to be able to entice other 
> running processes, such as "X" and "kjournald" to attempt Internet access.

No, the avc message is just misleading.  The pid/comm information for
network layer permission checks is unreliable because the packet
send/recv isn't necessarily happening in the context of the process that
initiated the send or that will handle the recv.  Note in particular the
use of kernel_t in the scontext; that is a kernel socket, e.g. ICMP
traffic.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list