strange avc with racoon under f-11 mls
Joshua Roys
joshua.roys at gtri.gatech.edu
Wed Oct 14 22:42:31 UTC 2009
On 10/14/2009 03:42 PM, Daniel J Walsh wrote:
> On 10/14/2009 01:30 PM, Joshua Roys wrote:
>>
>> avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500
>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
>>
>> On IRC it was mentioned the tcontext=...:s15:... could be an issue...?
>>
> Did you run the AVC through audit2why?
It said: Policy constraint violation.
Looking at policy/mls, I see this:
# the peer/packet recv op
mlsconstrain { peer packet } { recv }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
And here are our contexts:
scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023
According to:
http://www.patrickmcdaniel.org/pubs/sacmat07.pdf
the mlsconstrain above expands to:
subject = system_u:system_r:racoon_t:s0-s15:c0.c1023
object = system_u:object_r:unlabeled_t:s15-s15:c0.c1023
l1 dom l2 = opl(dom, getl(subject), getl(object))
= opl(dom, s0, s15)
= FALSE
mlsnetreadtoclr appears to only be granted via:
policy/modules/kernel/mls.if: mls_socket_read_to_clearance
which is not granted to racoon_t
and mlsnetread:
policy/modules/kernel/mls.if: mls_socket_read_all_levels
which is also not given to racoon_t.
mlsconstrain { peer packet } { recv }
(( FALSE ) or
(( FALSE ) and ( h1 dom l2 )) or
( FALSE ));
So, does anyone have a pointer to why my traffic is coming in at s15?
Or any other advice would be appreciated!
Thanks for your help so far,
--
Josh
More information about the fedora-selinux-list
mailing list