Hello,
I am trying to have some applications communicate over loopback under a
f12 mls policy using some sort of labeled networking, the reason being
that otherwise I hit a selinux avc about an unlabeled_t ingress:
avc: denied { ingress } for saddr=127.0.0.1 daddr=127.0.0.1 netif=lo
scontext=system_u:object_r:unlabeled_t:s15:c0.c1023
tcontext=...:lo_netif_t:s0-s15:c0.c1023 tclass=netif
Thus far I have tried secmark, but there appear to be issues. I have
incoming and outgoing labeled ipsec from this box working, until I add a
secmark rule like:
iptables -t mangle -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -i lo
--dport $secondary_app_port -j SECMARK --selctx
system_u:system_r:httpd_t:s0-s1:c0,c3
And then labeled ipsec falls over and I get avcs similar to:
avc: denied { recv } for saddr=$remote daddr=$local netif=eth0
scontext=...:application_t tcontext=...:unlabeled_t tclass=packet
It seems as if having any secmark labels causes selinux to "forget"
about the labels retrieved from labeled ipsec? When I delete the
secmark rule, I return to getting ingress avcs...
Any ideas?
Thanks,
Josh
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
