FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-18-2009, 07:13 PM
Joshua Roys
 
Default labeling traffic over lo

Hello,

I am trying to have some applications communicate over loopback under a
f12 mls policy using some sort of labeled networking, the reason being
that otherwise I hit a selinux avc about an unlabeled_t ingress:


avc: denied { ingress } for saddr=127.0.0.1 daddr=127.0.0.1 netif=lo
scontext=system_ubject_r:unlabeled_t:s15:c0.c102 3
tcontext=...:lo_netif_t:s0-s15:c0.c1023 tclass=netif


Thus far I have tried secmark, but there appear to be issues. I have
incoming and outgoing labeled ipsec from this box working, until I add a
secmark rule like:


iptables -t mangle -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 -i lo
--dport $secondary_app_port -j SECMARK --selctx
system_u:system_r:httpd_t:s0-s1:c0,c3


And then labeled ipsec falls over and I get avcs similar to:

avc: denied { recv } for saddr=$remote daddr=$local netif=eth0
scontext=...:application_t tcontext=...:unlabeled_t tclass=packet


It seems as if having any secmark labels causes selinux to "forget"
about the labels retrieved from labeled ipsec? When I delete the
secmark rule, I return to getting ingress avcs...


Any ideas?

Thanks,

Josh

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org