On Sun, 2006-06-25 at 20:17 -0400, Valdis.Kletnieks(a)vt.edu wrote:
On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
> I relabeled with:
> setfiles /etc/selinux/targeted/contexts/files/file_contexts /
> but the problem persists.
That's not the problem... This is the SECMARK stuff for packet labelling.
> [root@gadwall etc]# grep "avc: denied" /var/log/messages | more
> Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for
pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512
netif=lo scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
"Oh, bother", said Pooh, as he chambered another round...
Excellent juxtaposition of sweetness and malice!
Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball.
Note that parts of this have already made it upstream (for example, the patch
to serefpolicy is upstreamed already, and the kernel parts are in Linus's
tree already. I did have to patch iptables though, and add a rc.d script
to set it up during boot...
I've appended a writeup James Morris did on Secmark 1.1, which gives some hints
of how to set it up.
Is all of this on track to be included in FC6? And in particular, how
is the rc.d scripting planned to work?
email message attachment, "forwarded message"
> -------- Forwarded Message --------
> From: James Morris <jmorris(a)namei.org>
> To: selinux(a)tycho.nsa.gov
> Cc: netdev(a)vger.kernel.org, netfilter-devel(a)lists.netfilter.org,
> Stephen Smalley <sds(a)tycho.nsa.gov>, Daniel J Walsh
> <dwalsh(a)redhat.com>, Karl MacMillan <kmacmillan(a)tresys.com>, Patrick
> McHardy <kaber(a)trash.net>, David S. Miller <davem(a)davemloft.net>,
> Thomas Bleher <bleher(a)informatik.uni-muenchen.de>
> Subject: [RFC] SECMARK 1.1
> Date: Sun, 14 May 2006 02:03:31 -0400 (EDT)
>
--snip--
Enforcing mode in FC6T1 currently prevents certain network traffic, so
I've gone to Permissive as a workaround. I'm a bit of a neophyte when
it comes to SELinux. Shall I presume ya'll know how to fix this and I
should just wait quietly for the fix to trickle down to me?
Thanks,
Jay