I'm helping a co-worker with a policy problem. In permissive he gets a
couple denials:
type=AVC msg=audit(1272049866.598:32539): avc: denied { send_msg } for
saddr=192.168.99.128 src=32786 daddr=192.168.99.1 dest=22 netif=eth0
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:ssh_port_t
tclass=tcp_socket
type=AVC msg=audit(1272049866.598:32540): avc: denied { recv_msg } for
saddr=192.168.99.1 src=22 daddr=192.168.99.128 dest=32786 netif=eth0
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:ssh_port_t
tclass=tcp_socket
I've checked his source policy and even checked the policy.18 file on
his target machine, they both show:
Allow sshd_t ssh_port_t : tcp_socket { recv_msg send_msg ... };
The only time I've seen it ignore networking policy was when I was doing
it the old (pre-secmark) way but forgot to put selinux_compat_net=1 on
the kernel line. His kernel version is 2.6.9 so this should predate
secmark and need no flag, correct? There is no /selinux/compat_net file
on the machine so I assume it should just work.
This is a fairly old and well "customized" policy, if that matters.
Any ideas?
Dave Thomson
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
