[Fwd: Re: Access attempts]
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 18 14:38:08 UTC 2007
On Wed, 2007-01-17 at 13:32 -0700, Ken wrote:
> I just realized I sent this to myself instead of to the list...
>
> -------- Original Message --------
> Subject:
> Re: Access attempts
> Date:
> Fri, 12 Jan 2007 17:13:13 -0700
> From:
> Ken <mantaray_1 at cox.net>
> To:
> Ken <mantaray_1 at cox.net>
> References:
> <45A81E60.9020409 at cox.net>
>
>
> Ken wrote:
> > I was hoping someone could help me to understand what might be
> > happening to trigger the access attempts I am blocking with my policy
> > which are listed below. They only seem to appear when I am logged in
> > to the "Blackboard" program at the university I attend. I have
> > already taken several steps to limit what my browser can do, and I do
> > not understand how it can trigger such attempts.
> > **********************
> > **********************
> > Jan 11 15:39:17 schoolhost kernel: audit(1168555157.756:587): avc:
> > denied { rawip_send } for saddr=192.168.0.2 src=60945
> > daddr=129.219.10.40 dest=443 netif=eth0
> > scontext=system_u:system_r:kernel_t:s15:c0.c255
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> >
> > Jan 11 15:39:17 schoolhost kernel: audit(1168555157.992:588): avc:
> > denied { rawip_send } for saddr=192.168.0.2 src=60945
> > daddr=129.219.10.40 dest=443 netif=eth0
> > scontext=system_u:system_r:kernel_t:s15:c0.c255
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> >
> > Jan 11 15:39:18 schoolhost kernel: audit(1168555158.212:590): avc:
> > denied { rawip_send } for saddr=192.168.0.2 src=45910
> > daddr=129.219.10.30 dest=443 netif=eth0
> > scontext=system_u:system_r:kernel_t:s15:c0.c255
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> >
> > Jan 11 15:39:19 schoolhost kernel: audit(1168555159.433:600): avc:
> > denied { rawip_send } for pid=2465 comm="X" saddr=192.168.0.2
> > src=60945 daddr=129.219.10.40 dest=443 netif=eth0
> > scontext=system_u:system_r:kernel_t:s15:c0.c255
> > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> > **********************
> > **********************
> >
> > Thanks in advance,
> > Ken.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> I just noticed that I sent the wrong part of the log. I accidentally
> removed this from the previous post instead of the repeated messages:
>
> ************
> ************
> Jan 11 15:39:18 schoolhost kernel: audit(1168555158.481:593): avc:
> denied { rawip_send } for pid=417 comm="kjournald" saddr=192.168.0.2
> src=45910 daddr=129.219.10.30 dest=443 netif=eth0
> scontext=system_u:system_r:kernel_t:s15:c0.c255
> tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif
> ************
> ************
>
> My concern is that somehow the browser seems to be able to entice other
> running processes, such as "X" and "kjournald" to attempt Internet access.
No, the avc message is just misleading. The pid/comm information for
network layer permission checks is unreliable because the packet
send/recv isn't necessarily happening in the context of the process that
initiated the send or that will handle the recv. Note in particular the
use of kernel_t in the scontext; that is a kernel socket, e.g. ICMP
traffic.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list