selinux-policy-targeted-2.1.6-4: needs netif

Tom London <selinux@xxxxxxxxx> · Fri, 16 Dec 2005 07:34:43 -0800

running today's policy, have boot/network problems.

Fixed boot problems by turning off hplip/cups.

Appears more 'netif' work is needed:

[root@tlondon ~]# ausearch -m avc,selinux_err -ts 12/16/2005
|audit2allow -l allow avahi_t null_device_t:netif udp_send;
allow cupsd_t null_device_t:netif tcp_send;
allow hplip_t null_device_t:netif tcp_send;
allow kernel_t null_device_t:netif rawip_send;
allow ntpd_t null_device_t:netif udp_send;
allow ntpd_t policy_config_t:udp_socket node_bind;
allow ping_t null_device_t:netif rawip_recv;
allow ping_t policy_config_t:node rawip_recv;
allow unconfined_t null_device_t:netif tcp_recv;
allow unconfined_t policy_config_t:node udp_recv;
allow unconfined_t sysctl_t:tcp_socket recv_msg;
allow unconfined_t sysctl_t:udp_socket send_msg;
[root@tlondon ~]#

Here are a few AVCs:
----
time->Fri Dec 16 07:06:31 2005
type=AVC msg=audit(1134745591.755:5): avc:  denied  { tcp_send } for 
pid=2686 comm="python" saddr=127.0.0.1 src=37866 daddr=127.0.0.1
dest=50000 netif=lo scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
time->Fri Dec 16 07:06:34 2005
type=AVC msg=audit(1134745594.243:6): avc:  denied  { tcp_send } for 
pid=2713 comm="hp" saddr=127.0.0.1 src=37867 daddr=127.0.0.1
dest=50000 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
time->Fri Dec 16 07:06:34 2005
type=AVC msg=audit(1134745594.755:7): avc:  denied  { tcp_send } for 
saddr=127.0.0.1 src=37866 daddr=127.0.0.1 dest=50000 netif=lo
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
-------
time->Fri Dec 16 07:16:44 2005
type=SOCKETCALL msg=audit(1134746204.111:5): nargs=4 a0=4 a1=bfbf3450
a2=20 a3=0type=SYSCALL msg=audit(1134746204.111:5): arch=40000003
syscall=102 success=no exit=-1 a0=9 a1=bfbf30e4 a2=771ff4 a3=20
items=0 pid=2731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="ntpdate" exe="/usr/sbin/ntpdate"
type=AVC msg=audit(1134746204.111:5): avc:  denied  { udp_send } for 
pid=2731 comm="ntpdate" saddr=192.168.1.101 src=32768
daddr=68.87.76.178 dest=53 netif=eth0
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
time->Fri Dec 16 07:16:57 2005
type=SOCKETCALL msg=audit(1134746217.580:190): nargs=3 a0=d a1=bfae85ec a2=0
type=SOCKADDR msg=audit(1134746217.580:190):
saddr=020014E9E00000FB0000000000000000
type=SYSCALL msg=audit(1134746217.580:190): arch=40000003 syscall=102
success=no exit=-1 a0=10 a1=bfae8590 a2=af5134 a3=d items=0 pid=2814
auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70
fsgid=70 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon"
type=AVC msg=audit(1134746217.580:190): avc:  denied  { udp_recv } for
 pid=2814 comm="avahi-daemon" saddr=192.168.1.101 src=5353
daddr=224.0.0.251 dest=5353 netif=eth0
scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
type=AVC msg=audit(1134746217.580:190): avc:  denied  { udp_send } for
 pid=2814 comm="avahi-daemon" saddr=192.168.1.101 src=5353
daddr=224.0.0.251 dest=5353 netif=eth0
scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
<<<<<Many more>>>>>

tom
-

--
Tom London

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list