I installed FC6T1 in the last day or two, and I'm seeing lots of avc:denied messages when something tries to access the network. The common thread seems to be netif. SELinux is enforcing.
I relabeled with: setfiles /etc/selinux/targeted/contexts/files/file_contexts / but the problem persists.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:44 gadwall kernel: audit(1151227604.199:29): avc: denied { send } for pid=28419 comm="smtp" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:47 gadwall kernel: audit(1151227607.199:30): avc: denied { send } for pid=28697 comm="makewhatis" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:53 gadwall kernel: audit(1151227613.199:31): avc: denied { send } for pid=29189 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:27:05 gadwall kernel: audit(1151227625.200:32): avc: denied { send } for pid=30221 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:03 gadwall kernel: audit(1151229603.556:33): avc: denied { send } for pid=22871 comm="smtp" saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:06 gadwall kernel: audit(1151229606.556:34): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:12 gadwall kernel: audit(1151229612.556:35): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:24 gadwall kernel: audit(1151229624.557:36): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:06:43 gadwall kernel: audit(1151233603.890:37): avc: denied { send } for pid=22984 comm="smtp" saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:06:46 gadwall kernel: audit(1151233606.890:38): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:06:52 gadwall kernel: audit(1151233612.890:39): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:07:04 gadwall kernel: audit(1151233624.891:40): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:04 gadwall kernel: audit(1151238604.282:41): avc: denied { send } for pid=23122 comm="smtp" saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:07 gadwall kernel: audit(1151238607.283:42): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:13 gadwall kernel: audit(1151238613.283:43): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:25 gadwall kernel: audit(1151238625.284:44): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:25 gadwall kernel: audit(1151243605.259:45): avc: denied { send } for pid=23349 comm="smtp" saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:28 gadwall kernel: audit(1151243608.259:46): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:34 gadwall kernel: audit(1151243614.259:47): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:46 gadwall kernel: audit(1151243626.260:48): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:16:44 gadwall kernel: audit(1151248604.735:49): avc: denied { send } for pid=23490 comm="smtp" saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:16:47 gadwall kernel: audit(1151248607.736:50): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:16:53 gadwall kernel: audit(1151248613.736:51): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:17:05 gadwall kernel: audit(1151248625.737:52): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:53): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:54): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.2 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:55): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
I relabeled with: setfiles /etc/selinux/targeted/contexts/files/file_contexts / but the problem persists.
That's not the problem... This is the SECMARK stuff for packet labelling.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more
Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
"Oh, bother", said Pooh, as he chambered another round...
Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball. Note that parts of this have already made it upstream (for example, the patch to serefpolicy is upstreamed already, and the kernel parts are in Linus's tree already. I did have to patch iptables though, and add a rc.d script to set it up during boot...
I've appended a writeup James Morris did on Secmark 1.1, which gives some hints of how to set it up.
Is all of this on track to be included in FC6? And in particular, how is the rc.d scripting planned to work?
On Sun, 2006-06-25 at 20:17 -0400, Valdis.Kletnieks@vt.edu wrote:
On Sun, 25 Jun 2006 13:19:58 CDT, Jay Cliburn said:
I relabeled with: setfiles /etc/selinux/targeted/contexts/files/file_contexts / but the problem persists.
That's not the problem... This is the SECMARK stuff for packet labelling.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more
Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
"Oh, bother", said Pooh, as he chambered another round...
Excellent juxtaposition of sweetness and malice!
Not all the SECMARK stuff is in Rawhide yet, as far as I can tell.
http://people.redhat.com/jmorris/selinux/secmark/ has the secmark-2.0 tarball. Note that parts of this have already made it upstream (for example, the patch to serefpolicy is upstreamed already, and the kernel parts are in Linus's tree already. I did have to patch iptables though, and add a rc.d script to set it up during boot...
I've appended a writeup James Morris did on Secmark 1.1, which gives some hints of how to set it up.
Is all of this on track to be included in FC6? And in particular, how is the rc.d scripting planned to work? email message attachment, "forwarded message"
-------- Forwarded Message -------- From: James Morris jmorris@namei.org To: selinux@tycho.nsa.gov Cc: netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org, Stephen Smalley sds@tycho.nsa.gov, Daniel J Walsh dwalsh@redhat.com, Karl MacMillan kmacmillan@tresys.com, Patrick McHardy kaber@trash.net, David S. Miller davem@davemloft.net, Thomas Bleher bleher@informatik.uni-muenchen.de Subject: [RFC] SECMARK 1.1 Date: Sun, 14 May 2006 02:03:31 -0400 (EDT)
--snip--
Enforcing mode in FC6T1 currently prevents certain network traffic, so I've gone to Permissive as a workaround. I'm a bit of a neophyte when it comes to SELinux. Shall I presume ya'll know how to fix this and I should just wait quietly for the fix to trickle down to me?
Thanks, Jay
On Mon, 26 Jun 2006 21:07:17 CDT, Jay Cliburn said:
Enforcing mode in FC6T1 currently prevents certain network traffic, so I've gone to Permissive as a workaround. I'm a bit of a neophyte when it comes to SELinux. Shall I presume ya'll know how to fix this and I should just wait quietly for the fix to trickle down to me?
Umm... actually, as far as I know, we've got something of a plan on the general vision, but the implementation still needs work. Of course, I'm just basically a beta tester who knows about it because I hit the same issue a few days ahead of you...
It probably wouldn't hurt if you kept an eye on the list, and if/when a fix comes up take it for a spin. We'll need a neophyte tester (I'm going to guess that solutions I find workable are likely not solutions you'd like to deploy as a neophyte...)
On Sun, 2006-06-25 at 13:19 -0500, Jay Cliburn wrote:
I installed FC6T1 in the last day or two, and I'm seeing lots of avc:denied messages when something tries to access the network. The common thread seems to be netif. SELinux is enforcing.
I relabeled with: setfiles /etc/selinux/targeted/contexts/files/file_contexts / but the problem persists.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
<snip>
What policy do you have? rpm -q selinux-policy Latest policy should include those permissions.
On Mon, 2006-06-26 at 11:34 -0400, Stephen Smalley wrote:
On Sun, 2006-06-25 at 13:19 -0500, Jay Cliburn wrote:
I installed FC6T1 in the last day or two, and I'm seeing lots of avc:denied messages when something tries to access the network. The common thread seems to be netif. SELinux is enforcing.
I relabeled with: setfiles /etc/selinux/targeted/contexts/files/file_contexts / but the problem persists.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
<snip>
What policy do you have? rpm -q selinux-policy Latest policy should include those permissions.
[jcliburn@gadwall ~]$ uname -r 2.6.17-1.2307_FC6 [jcliburn@gadwall ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-2.3.1-1
For now, I've fallen back to Permissive mode so SMTP traffic and process-based DNS lookups work (e.g., cupsd); they won't work in Enforcing mode.
selinux@lists.fedoraproject.org
-
Jay Cliburn -
Stephen Smalley -
Valdis.Kletnieks@vt.edu