Strange AVC denials without effect
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: SElinux list <selinux@xxxxxxxxxxxxxxx>
- Subject: Strange AVC denials without effect
- From: Topi Miettinen <toiwoton@xxxxxxxxx>
- Date: Fri, 3 Jul 2020 13:28:34 +0300
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
Hello,
I renamed SELinux packet types and also without using type attributes
(like packet_type etc), so that refpolicy TE rules for packets should
not apply. Then I added new rules for the new types one by one as they
were needed. But there are lots of audit entries which would seem to
indicate that kernel_t is prevented from sending packets:
type=AVC msg=audit(1593770235.180:3222): avc: denied { send } for
pid=408 comm="irq/30-iwlwifi" saddr=10.0.0.3 daddr=1.1.1.1 netif=wlan0
scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:object_r:my_dns_client_packet_t:s0 tclass=packet
permissive=0
In reality, the packets are sent. But kernel_t is not permissive and
there should not be any rules which would allow the action, so shouldn't
this prevent packet transmission?
-Topi
[Index of Archives]
[Selinux Refpolicy]
[Linux SGX]
[Fedora Users]
[Fedora Desktop]
[Yosemite Photos]
[Yosemite Camping]
[Yosemite Campsites]
[KDE Users]
[Gnome Users]
