Re: [PATCH 0/3] labeled-ipsec: Repost patchset with updates [Originally: mlsxfrm: Various Fixes]

[Joshua Brindle]

Venkat Yekkirala wrote:
This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
The following are the changes since the previous post of this patchset:

1. Separate BUG_ON usage per Eric's suggestion.

2. Replace security_sid_compare with a simple sid compare check per
   a suggestion from Paul/Stephen.
  
I pulled in the lspp respin kernels and am checking the labeling 
behavior now so I should have a full response later, however I ran into 
one unexpected thing immediately on bootup with the new kernel:

audit(1163061323.188:197): avc:  denied  { send } for  pid=1676 
comm="modprobe" daddr=ff02:0000:0000:0000:0000:0000:0000:0016 netif=eth0 
scontext=system_u:system_r:kernel_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1163061343.335:204): avc:  denied  { send } for  pid=1804 
comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1 
src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353 
netif=eth0 scontext=system_u:system_r:avahi_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1163061343.338:205): avc:  denied  { recv } for  pid=1804 
comm="avahi-daemon" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1 
src=5353 daddr=ff02:0000:0000:0000:0000:0000:0000:00fb dest=5353 
netif=eth0 scontext=system_u:system_r:avahi_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
audit(1163061346.139:210): avc:  denied  { send } for  pid=1856 
comm="smartd-conf.py" saddr=fe80:0000:0000:0000:020c:29ff:fe72:2dd1 
daddr=ff02:0000:0000:0000:0000:0000:0000:0016 netif=eth0 
scontext=system_u:system_r:kernel_t:s0 
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

These denials come after iptables-restore sets up labeling in the mangle 
table so I'm not sure why they are unlabeled.. They also don't say which 
port they were using, perhaps is it a different protocol that our packet 
labeling isn't covering yet? Is there any way we could get protocol 
information in the denial?

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html