bizarre packet labelings
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 18 12:33:11 UTC 2009
On Wed, 2009-06-17 at 14:21 -0700, brian retford wrote:
> 2.6.18, with some custom kernel modules -- there is an off chance that
> they are interacting, but I doubt it.
Well, you have some kind of kernel bug, whether it lies in those custom
kernel modules or elsewhere I don't know. Obviously removing those
custom kernel modules and re-testing would help eliminate them as
possible causes.
> -b
>
> On Wed, Jun 17, 2009 at 12:47 PM, Stephen Smalley <sds at tycho.nsa.gov>
> wrote:
>
> On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote:
> > We have a fairly customized centos 5.3 distribution, but I
> know of
> > nothing that would cause the behavior I'm seeing. We don't
> use
> > iptables or ipsec, secmark is enabled in the kernel. I get
> avc denied
> > messages for packets that almost certainly do exist, but the
> targets
> > almost never make sense (at least to me), things like
> ls_exec_t,
> > lib_t, and other seemingly random types. Thoughts?
> >
> > avc: denied { send } for pid=3202 comm="sshd"
> saddr=172.27.13.41
> > src=22 daddr=172.27.134.1 dest=40428 netif=eth0
> > scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:lib_t:s0 tclass=packet
>
>
> If you haven't configured iptables to mark packets with those
> contexts,
> then you shouldn't get any such denials.
>
> So either you have a weird iptables configuration or you have
> a kernel
> bug.
>
> What kernel are you using?
>
> --
> Stephen Smalley
> National Security Agency
>
>
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list