labeling traffic over lo

Joshua Roys joshua.roys at gtri.gatech.edu
Fri Dec 18 20:13:13 UTC 2009


Hello,

I am trying to have some applications communicate over loopback under a 
f12 mls policy using some sort of labeled networking, the reason being 
that otherwise I hit a selinux avc about an unlabeled_t ingress:

avc: denied { ingress } for saddr=127.0.0.1 daddr=127.0.0.1 netif=lo 
scontext=system_u:object_r:unlabeled_t:s15:c0.c1023 
tcontext=...:lo_netif_t:s0-s15:c0.c1023 tclass=netif

Thus far I have tried secmark, but there appear to be issues.  I have 
incoming and outgoing labeled ipsec from this box working, until I add a 
secmark rule like:

iptables -t mangle -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -i lo 
--dport $secondary_app_port -j SECMARK --selctx 
system_u:system_r:httpd_t:s0-s1:c0,c3

And then labeled ipsec falls over and I get avcs similar to:

avc: denied { recv } for saddr=$remote daddr=$local netif=eth0 
scontext=...:application_t tcontext=...:unlabeled_t tclass=packet

It seems as if having any secmark labels causes selinux to "forget" 
about the labels retrieved from labeled ipsec?  When I delete the 
secmark rule, I return to getting ingress avcs...

Any ideas?

Thanks,

Josh




More information about the fedora-selinux-list mailing list