Re: FC6T1 avc denied messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2006-06-25 at 20:17 -0400, Valdis.Kletnieks@xxxxxx wrote:
> On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
> > I relabeled with:
> > setfiles /etc/selinux/targeted/contexts/files/file_contexts /
> > but the problem persists.
> 
> That's not the problem...  This is the SECMARK stuff for packet labelling.
> 
> > [root@gadwall etc]# grep "avc:  denied" /var/log/messages | more
> 
> > Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc:  denied  { send } for  pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
> 
> "Oh, bother", said Pooh, as he chambered another round...

Excellent juxtaposition of sweetness and malice!

>  
> 
> Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
> 
> http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball.
> Note that parts of this have already made it upstream (for example, the patch
> to serefpolicy is upstreamed already, and the kernel parts are in Linus's
> tree already.  I did have to patch iptables though, and add a rc.d script
> to set it up during boot...
> 
> I've appended a writeup James Morris did on Secmark 1.1, which gives some hints
> of how to set it up.
> 
> Is all of this on track to be included in FC6?  And in particular, how
> is the rc.d scripting planned to work?
> email message attachment, "forwarded message"
> > -------- Forwarded Message --------
> > From: James Morris <jmorris@xxxxxxxxx>
> > To: selinux@xxxxxxxxxxxxx
> > Cc: netdev@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxxxxxx,
> > Stephen Smalley <sds@xxxxxxxxxxxxx>, Daniel J Walsh
> > <dwalsh@xxxxxxxxxx>, Karl MacMillan <kmacmillan@xxxxxxxxxx>, Patrick
> > McHardy <kaber@xxxxxxxxx>, David S. Miller <davem@xxxxxxxxxxxxx>,
> > Thomas Bleher <bleher@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> > Subject: [RFC] SECMARK 1.1
> > Date: Sun, 14 May 2006 02:03:31 -0400 (EDT)
> > 

--snip--

Enforcing mode in FC6T1 currently prevents certain network traffic, so
I've gone to Permissive as a workaround.  I'm a bit of a neophyte when
it comes to SELinux.  Shall I presume ya'll know how to fix this and I
should just wait quietly for the fix to trickle down to me?

Thanks,
Jay

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux