interesting group of AVCs

Mr Dash Four mr.dash.four at googlemail.com
Thu Jun 2 14:42:17 UTC 2011 

Another "interesting" avc I've got - for various reasons (listed) below:

type=SYSCALL msg=audit(02/06/2011 11:52:56.270:136) : arch=i386 
syscall=close success=yes exit=0 a0=b a1=0 a2=16be30 a3=b6421c88 items=0 
ppid=1 pid=2003 auid=root uid=_transmission gid=_transmission 
euid=_transmission suid=_transmission fsuid=_transmission 
egid=_transmission sgid=_transmission fsgid=_transmission tty=(none) 
ses=1 comm=transmission-da exe=/usr/bin/transmission-daemon 
subj=unconfined_u:system_r:transmissionbt_t:s0 key=(null)
type=AVC msg=audit(02/06/2011 11:52:56.270:136) : avc:  denied  { send } 
for  pid=2003 comm=transmission-da saddr=10.x.x.x src=47573 
daddr=xx.xx.xx.xx dest=80 netif=tun0 
scontext=unconfined_u:system_r:transmissionbt_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

What I can't figure out is this:

1. I have a "catch-all" SECMARK rule in my OUTPUT chain like this:

-A OUTPUT -m conntrack --ctstate NEW -j SECMARK --selctx 
system_u:object_r:unauthorised_packet_t:s0

What could be the reason that the label on that packet shown in the AVC 
above is "unlabeled_t", bearing in mind the iptables statement I have 
listed above? Could it be that the packet was "invalid" or is there any 
other reason?

2. The syscall indicated is "close", so should I assume that the 
connection is/was closing then? The destination address and port I 
masked above are known to me (and authorised!), so this is the only type 
AVC I now have (it happened twice in the last 24 hours or so - all with 
the syscall=close). I think I found the reasons for the previous group 
of AVCs I was getting and will post my findings as to what I think needs 
to be altered (i.e. tightened) in the SELinux targeted policy in the 
next few days.

3. The pid (which I assume is the process id) is shown in that AVC as 
2003 - is this reliable? The reason I am asking this is because at the 
time I checked, there was no process listed by that id and the program 
which caused this avc to be raised in the first place (transmissionbt) 
is still running, but its pid is different and, to my knowledge, that 
program has not been restarted!

More information about the selinux mailing list