marking ipv6 loopback for cipsov?

vlad halilov <vlad.halilov@xxxxxxxxx> · Wed, 15 May 2013 11:57:34 +0400

Hello guyz. Is any way to mark traffic for ipv6 loopback interface as 'cipso'? Just have an next avc on redhat enterprise linux 6.4x64:
type=AVC msg=audit(1368559715.534:1532): avc:  denied  { recv } for  pid=3787 comm="tl-xinit" saddr=::1 src="" daddr=::1 dest=51248 netif=lo scontext=user_u:user_r:user_t:s0-s3:c0.c15 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
type=AVC msg=audit(1368559716.538:1533): avc:  denied  { recv } for  saddr=::1 src="" daddr=::1 dest=51248 netif=lo scontext=user_u:user_r:user_t:s0-s3:c0.c15 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
type=AVC msg=audit(1368559718.537:1545): avc:  denied  { recv } for  pid=3795 comm="unix_chkpwd" saddr=::1 src="" daddr=::1 dest=51248 netif=lo scontext=user_u:user_r:user_t:s0-s3:c0.c15 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
type=AVC msg=audit(1368559722.540:1560): avc:  denied  { recv } for  saddr=::1 src="" daddr=::1 dest=51248 netif=lo scontext=user_u:user_r:user_t:s0-s3:c0.c15 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer
type=AVC msg=audit(1368559730.540:1561): avc:  denied  { recv } for  saddr=::1 src="" daddr=::1 dest=51248 netif=lo scontext=user_u:user_r:user_t:s0-s3:c0.c15 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer

Server configures as mls system, and there are 'tl-xinit' that tried to connect via ipv6 loopback (?), and context marked as unlabeled_t:s15 .... so, no connection.

network configures as:

netlabelctl unlbl add interface:eth0 address:0.0.0.0/0 label:system_u:object_r:node_t:s0 
netlabelctl map del default
netlabelctl map add default address:0.0.0.0/0 protocol:unlbl 
netlabelctl cipsov4 add pass doi:32 tags:1
netlabelctl map add default address:127.0.0.0/8 protocol:cipsov4,32 
netlabelctl map add default address:192.168.1.96/32 protocol:cipsov4,32
netlabelctl map add default address:::/0 protocol:unlbl

p.s.  btw, i tried to make something fool action, like 'netlabelctl map add default address:::/128 protocol:cipsov4,32' and get kernel bug .. :)  is these result need to be reported or no?