selinux-policy-2.5.4

Stephen Smalley sds at tycho.nsa.gov
Mon Feb 26 13:21:44 UTC 2007


On Mon, 2007-02-26 at 07:46 -0500, Stephen Smalley wrote:
> On Sun, 2007-02-25 at 12:15 -0800, Steve G wrote:
> > Hi,
> > 
> > I am curious about the testing process for policy releases. Seems like everytime
> > a new upstream policy is pulled in, we suddenly have a bunch of avcs. For the
> > newest policy, 2.5.4, I have all these:
> > 
> > allow avahi_t unlabeled_t : packet { recv send };
> > allow bluetooth_t lib_t : file execute_no_trans;
> > allow mount_t security_t : filesystem getattr;
> > allow postfix_local_t mail_spool_t : file append;
> > allow postfix_local_t unlabeled_t : packet send;
> > allow postfix_master_t security_t : filesystem getattr;
> > allow restorecon_t security_t : filesystem getattr;
> > allow setrans_t security_t : filesystem getattr;
> > allow setroubleshootd_t mail_spool_t : lnk_file read;
> > allow setroubleshootd_t security_t : filesystem getattr;
> > allow vpnc_t security_t : filesystem getattr;
> > allow vpnc_t unlabeled_t : packet { recv send };
> > 
> > These are simply from booting and connecting to the network. I haven't even tried
> > to start X or do any serious work.
> 
> The security_t:filesystem getattr ones would be from your libselinux
> patch (not yet merged, at least upstream).

The unlabeled_t:packet { recv send } ones suggest that you have secmark
enabled (w/o any iptables rules)?  
$ cat /selinux/compat_net

-- 
Stephen Smalley
National Security Agency




More information about the selinux mailing list