1:19 p.m.
I installed FC6T1 in the last day or two, and I'm seeing lots of
avc:denied messages when something tries to access the network. The
common thread seems to be netif. SELinux is enforcing.
I relabeled with:
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
but the problem persists.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more
Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for
pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512
netif=lo scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:26:44 gadwall kernel: audit(1151227604.199:29): avc: denied { send } for
pid=28419 comm="smtp" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:26:47 gadwall kernel: audit(1151227607.199:30): avc: denied { send } for
pid=28697 comm="makewhatis" saddr=192.168.1.8 src=54461 daddr=192.168.1.3
dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:26:53 gadwall kernel: audit(1151227613.199:31): avc: denied { send } for
pid=29189 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:27:05 gadwall kernel: audit(1151227625.200:32): avc: denied { send } for
pid=30221 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 05:00:03 gadwall kernel: audit(1151229603.556:33): avc: denied { send } for
pid=22871 comm="smtp" saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 05:00:06 gadwall kernel: audit(1151229606.556:34): avc: denied { send } for
saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 05:00:12 gadwall kernel: audit(1151229612.556:35): avc: denied { send } for
saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 05:00:24 gadwall kernel: audit(1151229624.557:36): avc: denied { send } for
saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 06:06:43 gadwall kernel: audit(1151233603.890:37): avc: denied { send } for
pid=22984 comm="smtp" saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 06:06:46 gadwall kernel: audit(1151233606.890:38): avc: denied { send } for
saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 06:06:52 gadwall kernel: audit(1151233612.890:39): avc: denied { send } for
saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 06:07:04 gadwall kernel: audit(1151233624.891:40): avc: denied { send } for
saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 07:30:04 gadwall kernel: audit(1151238604.282:41): avc: denied { send } for
pid=23122 comm="smtp" saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 07:30:07 gadwall kernel: audit(1151238607.283:42): avc: denied { send } for
saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 07:30:13 gadwall kernel: audit(1151238613.283:43): avc: denied { send } for
saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 07:30:25 gadwall kernel: audit(1151238625.284:44): avc: denied { send } for
saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 08:53:25 gadwall kernel: audit(1151243605.259:45): avc: denied { send } for
pid=23349 comm="smtp" saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 08:53:28 gadwall kernel: audit(1151243608.259:46): avc: denied { send } for
saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 08:53:34 gadwall kernel: audit(1151243614.259:47): avc: denied { send } for
saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 08:53:46 gadwall kernel: audit(1151243626.260:48): avc: denied { send } for
saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 10:16:44 gadwall kernel: audit(1151248604.735:49): avc: denied { send } for
pid=23490 comm="smtp" saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25
netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 10:16:47 gadwall kernel: audit(1151248607.736:50): avc: denied { send } for
saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 10:16:53 gadwall kernel: audit(1151248613.736:51): avc: denied { send } for
saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 10:17:05 gadwall kernel: audit(1151248625.737:52): avc: denied { send } for
saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0
scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:53): avc: denied { send } for
pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53
netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:54): avc: denied { send } for
pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.2 dest=53
netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:55): avc: denied { send } for
pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53
netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=packet
7:17 p.m.
On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
I relabeled with:
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
but the problem persists.
That's not the problem... This is the SECMARK stuff for packet labelling.
[root@gadwall etc]# grep "avc: denied" /var/log/messages |
more
Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc:
denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769
daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
"Oh, bother", said Pooh, as he chambered another round...
Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball.
Note that parts of this have already made it upstream (for example, the patch
to serefpolicy is upstreamed already, and the kernel parts are in Linus's
tree already. I did have to patch iptables though, and add a rc.d script
to set it up during boot...
I've appended a writeup James Morris did on Secmark 1.1, which gives some hints
of how to set it up.
Is all of this on track to be included in FC6? And in particular, how
is the rc.d scripting planned to work?
9:07 p.m.
On Sun, 2006-06-25 at 20:17 -0400, Valdis.Kletnieks(a)vt.edu wrote:
On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
> I relabeled with:
> setfiles /etc/selinux/targeted/contexts/files/file_contexts /
> but the problem persists.
That's not the problem... This is the SECMARK stuff for packet labelling.
> [root@gadwall etc]# grep "avc: denied" /var/log/messages | more
> Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for
pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512
netif=lo scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
"Oh, bother", said Pooh, as he chambered another round...
Excellent juxtaposition of sweetness and malice!
Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball.
Note that parts of this have already made it upstream (for example, the patch
to serefpolicy is upstreamed already, and the kernel parts are in Linus's
tree already. I did have to patch iptables though, and add a rc.d script
to set it up during boot...
I've appended a writeup James Morris did on Secmark 1.1, which gives some hints
of how to set it up.
Is all of this on track to be included in FC6? And in particular, how
is the rc.d scripting planned to work?
email message attachment, "forwarded message"
> -------- Forwarded Message --------
> From: James Morris <jmorris(a)namei.org>
> To: selinux(a)tycho.nsa.gov
> Cc: netdev(a)vger.kernel.org, netfilter-devel(a)lists.netfilter.org,
> Stephen Smalley <sds(a)tycho.nsa.gov>, Daniel J Walsh
> <dwalsh(a)redhat.com>, Karl MacMillan <kmacmillan(a)tresys.com>, Patrick
> McHardy <kaber(a)trash.net>, David S. Miller <davem(a)davemloft.net>,
> Thomas Bleher <bleher(a)informatik.uni-muenchen.de>
> Subject: [RFC] SECMARK 1.1
> Date: Sun, 14 May 2006 02:03:31 -0400 (EDT)
>
--snip--
Enforcing mode in FC6T1 currently prevents certain network traffic, so
I've gone to Permissive as a workaround. I'm a bit of a neophyte when
it comes to SELinux. Shall I presume ya'll know how to fix this and I
should just wait quietly for the fix to trickle down to me?
Thanks,
Jay
11:19 p.m.
On Mon, 26 Jun 2006 21:07:17 CDT, Jay Cliburn said:
Enforcing mode in FC6T1 currently prevents certain network traffic,
so
I've gone to Permissive as a workaround. I'm a bit of a neophyte when
it comes to SELinux. Shall I presume ya'll know how to fix this and I
should just wait quietly for the fix to trickle down to me?
Umm... actually, as far as I know, we've got something of a plan on the
general vision, but the implementation still needs work. Of course, I'm
just basically a beta tester who knows about it because I hit the same
issue a few days ahead of you...
It probably wouldn't hurt if you kept an eye on the list, and if/when a fix
comes up take it for a spin. We'll need a neophyte tester (I'm going to
guess that solutions I find workable are likely not solutions you'd like
to deploy as a neophyte...)
10:34 a.m.
On Sun, 2006-06-25 at 13:19 -0500, Jay Cliburn wrote:
I installed FC6T1 in the last day or two, and I'm seeing lots of
avc:denied messages when something tries to access the network. The
common thread seems to be netif. SELinux is enforcing.
I relabeled with:
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
but the problem persists.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more
Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for
pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512
netif=lo scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
<snip>
What policy do you have? rpm -q selinux-policy
Latest policy should include those permissions.
--
Stephen Smalley
National Security Agency
9 p.m.
On Mon, 2006-06-26 at 11:34 -0400, Stephen Smalley wrote:
On Sun, 2006-06-25 at 13:19 -0500, Jay Cliburn wrote:
> I installed FC6T1 in the last day or two, and I'm seeing lots of
> avc:denied messages when something tries to access the network. The
> common thread seems to be netif. SELinux is enforcing.
>
> I relabeled with:
> setfiles /etc/selinux/targeted/contexts/files/file_contexts /
> but the problem persists.
>
> [root@gadwall etc]# grep "avc: denied" /var/log/messages | more
> Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for
pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512
netif=lo scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
<snip>
What policy do you have? rpm -q selinux-policy
Latest policy should include those permissions.
[jcliburn@gadwall ~]$ uname -r
2.6.17-1.2307_FC6
[jcliburn@gadwall ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.3.1-1
For now, I've fallen back to Permissive mode so SMTP traffic and
process-based DNS lookups work (e.g., cupsd); they won't work in
Enforcing mode.
6550
days inactive
6552
days old
selinux@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Jay Cliburn -
Stephen Smalley -
Valdis.Kletnieks@vt.edu