On 06/15/2015 12:41 PM, Stephen Smalley wrote:
> On 06/12/2015 01:48 PM, Tim Shearer wrote:
>> Hi all,
>>
>>
>>
>> Environment: CentOS 7, with either stock 3.10 kernel, or custom 3.19 kernel.
>>
>>
>>
>> I’m getting a AVC denial message in the audit logs that corresponds to
>> the opening of a TIPC socket (AF_TIPC). The denial is seems valid, and
>> is triggered by a custom C++ application that hasn’t yet been assigned
>> an appropriate security context. The problem I’m having is that the AVC
>> message is garbled (non-ASCII data in the denied and tclass fields),
>> which makes it difficult to assemble a new policy:
>>
>>
>>
>> ----
>>
>> type=AVC msg=audit(1434126658.487:34500): avc: denied {
>> *garbage_characters* } for pid=292 comm="kworker/u16:5"
>> scontext=system_u:system_r:kernel_t:s0
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=*garbage_characters*
>> permissive=0
>>
>> ----
>>
>>
>>
>> This corresponds to a kernel error that shows up in the debuglog:
>>
>> SELinux: Invalid class 0
>
> This suggests that the tipc kernel module is creating a socket in some
> manner without initializing its security state.
>
> Can you provide a reproducer program that triggers the error?
Looks to me as if tipc_accept() never calls sock_graft() or
security_sk_clone() so it will never initialize the security state of
the new sock. Kernel bug.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
