* IGMP being blocked
@ 2002-06-13 9:53 Russell Coker
2002-06-13 12:06 ` Stephen Smalley
2002-06-13 12:23 ` Ed Street
0 siblings, 2 replies; 3+ messages in thread
From: Russell Coker @ 2002-06-13 9:53 UTC (permalink / raw)
To: SE Linux
avc: denied { rawip_send } for saddr=213.84.71.248 daddr=224.0.1.41
netif=ppp0 scontext=system_u:object_r:unlabeled_t
tcontext=system_u:object_r:netif_t tclass=netif
avc: denied { rawip_send } for saddr=213.84.71.248 daddr=224.0.1.41
netif=ppp0 scontext=system_u:object_r:unlabeled_t
tcontext=system_u:object_r:node_t tclass=node
I am seeing the above in my logs regularly on a server that I have just
upgraded to the latest LSM with IPSec (which I have not enabled).
It seems that IGMP code is being run as unlabeled_t.
Any ideas on what to do with this?
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: IGMP being blocked
2002-06-13 9:53 IGMP being blocked Russell Coker
@ 2002-06-13 12:06 ` Stephen Smalley
2002-06-13 12:23 ` Ed Street
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2002-06-13 12:06 UTC (permalink / raw)
To: Russell Coker; +Cc: SE Linux
On Thu, 13 Jun 2002, Russell Coker wrote:
> avc: denied { rawip_send } for saddr=213.84.71.248 daddr=224.0.1.41
> netif=ppp0 scontext=system_u:object_r:unlabeled_t
> tcontext=system_u:object_r:netif_t tclass=netif
>
> avc: denied { rawip_send } for saddr=213.84.71.248 daddr=224.0.1.41
> netif=ppp0 scontext=system_u:object_r:unlabeled_t
> tcontext=system_u:object_r:node_t tclass=node
>
> I am seeing the above in my logs regularly on a server that I have just
> upgraded to the latest LSM with IPSec (which I have not enabled).
>
> It seems that IGMP code is being run as unlabeled_t.
>
> Any ideas on what to do with this?
I think that what is happening here is that the IGMP code is allocating a
skb and sending it without ever associating it with a sending socket.
Normally, a skb is initially tagged with the unlabeled SID upon allocation
and later tagged with a SID derived from the sending socket upon
skb_set_owner_w. Notice that the IGMP code differs from the ICMP code,
which uses a kernel ICMP socket for sends. I suppose that we could try to
detect these packets in selinux_ip_output_first and then assign them an
initial SID for IGMP traffic.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: IGMP being blocked
2002-06-13 9:53 IGMP being blocked Russell Coker
2002-06-13 12:06 ` Stephen Smalley
@ 2002-06-13 12:23 ` Ed Street
1 sibling, 0 replies; 3+ messages in thread
From: Ed Street @ 2002-06-13 12:23 UTC (permalink / raw)
To: 'Russell Coker', 'SE Linux'
Hello,
Yes this LOOKS like multicast addresses. You can disable them by either
turning that feature off or adding a few lines of code
"$IPTABLES" -A INPUT -d 224.0.0.0/4 -J DROP
Would be interesting to see the log that iptables give in this case (to
further know what's going on here)
Ed
> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov
> [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Russell Coker
> Sent: Thursday, June 13, 2002 5:53 AM
> To: SE Linux
> Subject: IGMP being blocked
>
>
> avc: denied { rawip_send } for saddr=213.84.71.248
> daddr=224.0.1.41
> netif=ppp0 scontext=system_u:object_r:unlabeled_t
> tcontext=system_u:object_r:netif_t tclass=netif
>
> avc: denied { rawip_send } for saddr=213.84.71.248
> daddr=224.0.1.41
> netif=ppp0 scontext=system_u:object_r:unlabeled_t
> tcontext=system_u:object_r:node_t tclass=node
>
> I am seeing the above in my logs regularly on a server that I
> have just
> upgraded to the latest LSM with IPSec (which I have not enabled).
>
> It seems that IGMP code is being run as unlabeled_t.
>
> Any ideas on what to do with this?
>
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in
> your address-book so that WHEN you get a virus it won't use
> my address in the
> >From field.
>
> --
> You have received this message because you are subscribed to
> the selinux list. If you no longer wish to subscribe, send
> mail to majordomo@tycho.nsa.gov with the words "unsubscribe
> selinux" without quotes as the message.
>
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-06-13 12:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-06-13 9:53 IGMP being blocked Russell Coker
2002-06-13 12:06 ` Stephen Smalley
2002-06-13 12:23 ` Ed Street
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.