On 15.5.2020 14.50, Christian Göttsche wrote:
Hi, for loopback labeling I use special rules, sot that the packet going into and coming out of the loopback device have different labels.
I'm relying on INPUT chain for labeling incoming packets and vice versa. Doesn't that work for loopback?
iif lo meta secmark set tcp dport map @secmapping_in
I think there's some limit for the size of NFT maps, so I was not able to use them for labeling all packet types known by the policy.
-Topi
iif lo meta secmark set udp dport map @secmapping_in iif lo meta secmark set tcp sport map @secmapping_out iif lo meta secmark set udp sport map @secmapping_out oif lo meta secmark set tcp dport map @secmapping_out oif lo meta secmark set udp dport map @secmapping_out oif lo meta secmark set tcp sport map @secmapping_in oif lo meta secmark set udp sport map @secmapping_in The pid values in these audit messages are garbage values (and so the derived command). Am Fr., 15. Mai 2020 um 13:11 Uhr schrieb Topi Miettinen <toiwoton@xxxxxxxxx>:Hi, After sending the previous message with 'git send-email', I noticed strange AVC denials in the logs. The first entry is correct, but the next have PID 0 and 16: time->Fri May 15 13:49:30 2020 type=PROCTITLE msg=audit(1589539770.992:1614): proctitle=2F7573722F62696E2F7065726C002F7573722F6C69622F6769742D636F72652F6769742D73656E642D656D61696C002D2D736D74702D6465627567002D2D616E6E6F74617465002D2D746F0073656C696E757840766765722E6B65726E656C2E6F726700642F706F6C696379636F72657574696C732E6769742F303030312D73 type=SOCKADDR msg=audit(1589539770.992:1614): saddr=020000197F0000010000000000000000 type=SYSCALL msg=audit(1589539770.992:1614): arch=c000003e syscall=42 success=no exit=-115 a0=7 a1=5a00209eba80 a2=10 a3=fffffffffffffa8b items=0 ppid=10011 pid=10012 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="git-send-email" exe="/usr/bin/perl" subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(1589539770.992:1614): avc: denied { recv } for pid=10012 comm="git-send-email" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482 netif=lo scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet permissive=0 ---- time->Fri May 15 13:49:32 2020 type=AVC msg=audit(1589539772.016:1615): avc: denied { recv } for pid=16 comm="ksoftirqd/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482 netif=lo scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet permissive=0 ---- time->Fri May 15 13:49:38 2020 type=AVC msg=audit(1589539778.096:1617): avc: denied { recv } for pid=0 comm="swapper/1" saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=45482 netif=lo scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:smtp_server_packet_t:s0 tclass=packet permissive=0 ---- Could it be a bug in kernel somewhere (AVC generated from wrong context) or should this be expected? The version of kernel is 5.3.7 and Netfilter NFT rules label all packets with SECMARK. -Topi
