Re: Wrong processes in AVC denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

for loopback labeling I use special rules, sot that the packet going
into and coming out of the loopback device have different labels.

iif lo meta secmark set tcp dport map @secmapping_in
iif lo meta secmark set udp dport map @secmapping_in
iif lo meta secmark set tcp sport map @secmapping_out
iif lo meta secmark set udp sport map @secmapping_out

oif lo meta secmark set tcp dport map @secmapping_out
oif lo meta secmark set udp dport map @secmapping_out
oif lo meta secmark set tcp sport map @secmapping_in
oif lo meta secmark set udp sport map @secmapping_in

The pid values in these audit messages are garbage values (and so the
derived command).

Am Fr., 15. Mai 2020 um 13:11 Uhr schrieb Topi Miettinen <toiwoton@xxxxxxxxx>:
>
> Hi,
>
> After sending the previous message with 'git send-email', I noticed
> strange AVC denials in the logs. The first entry is correct, but the
> next have PID 0 and 16:
>
> time->Fri May 15 13:49:30 2020
> type=PROCTITLE msg=audit(1589539770.992:1614):
> proctitle=2F7573722F62696E2F7065726C002F7573722F6C69622F6769742D636F72652F6769742D73656E642D656D61696C002D2D736D74702D6465627567002D2D616E6E6F74617465002D2D746F0073656C696E757840766765722E6B65726E656C2E6F726700642F706F6C696379636F72657574696C732E6769742F303030312D73
> type=SOCKADDR msg=audit(1589539770.992:1614):
> saddr=020000197F0000010000000000000000
> type=SYSCALL msg=audit(1589539770.992:1614): arch=c000003e syscall=42
> success=no exit=-115 a0=7 a1=5a00209eba80 a2=10 a3=fffffffffffffa8b
> items=0 ppid=10011 pid=10012 auid=1000 uid=1000 gid=1000 euid=1000
> suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1
> comm="git-send-email" exe="/usr/bin/perl" subj=user_u:user_r:user_t:s0
> key=(null)
> type=AVC msg=audit(1589539770.992:1614): avc:  denied  { recv } for
> pid=10012 comm="git-send-email" saddr=127.0.0.1 src=25 daddr=127.0.0.1
> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
> time->Fri May 15 13:49:32 2020
> type=AVC msg=audit(1589539772.016:1615): avc:  denied  { recv } for
> pid=16 comm="ksoftirqd/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1
> dest=45482 netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
> time->Fri May 15 13:49:38 2020
> type=AVC msg=audit(1589539778.096:1617): avc:  denied  { recv } for
> pid=0 comm="swapper/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482
> netif=lo scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet
> permissive=0
> ----
>
> Could it be a bug in kernel somewhere (AVC generated from wrong context)
> or should this be expected? The version of kernel is 5.3.7 and Netfilter
> NFT rules label all packets with SECMARK.
>
> -Topi
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux