FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

LinkBack Thread Tools
Old 12-18-2009, 07:13 PM
Joshua Roys
Default labeling traffic over lo


I am trying to have some applications communicate over loopback under a
f12 mls policy using some sort of labeled networking, the reason being
that otherwise I hit a selinux avc about an unlabeled_t ingress:

avc: denied { ingress } for saddr= daddr= netif=lo
scontext=system_ubject_r:unlabeled_t:s15:c0.c102 3
tcontext=...:lo_netif_t:s0-s15:c0.c1023 tclass=netif

Thus far I have tried secmark, but there appear to be issues. I have
incoming and outgoing labeled ipsec from this box working, until I add a
secmark rule like:

iptables -t mangle -A INPUT -p tcp -s -d -i lo
--dport $secondary_app_port -j SECMARK --selctx

And then labeled ipsec falls over and I get avcs similar to:

avc: denied { recv } for saddr=$remote daddr=$local netif=eth0
scontext=...:application_t tcontext=...:unlabeled_t tclass=packet

It seems as if having any secmark labels causes selinux to "forget"
about the labels retrieved from labeled ipsec? When I delete the
secmark rule, I return to getting ingress avcs...

Any ideas?



fedora-selinux-list mailing list

Thread Tools

All times are GMT. The time now is 04:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org