All of lore.kernel.org
 help / color / mirror / Atom feed
* IGMP being blocked
@ 2002-06-13  9:53 Russell Coker
  2002-06-13 12:06 ` Stephen Smalley
  2002-06-13 12:23 ` Ed Street
  0 siblings, 2 replies; 3+ messages in thread
From: Russell Coker @ 2002-06-13  9:53 UTC (permalink / raw)
  To: SE Linux

avc:  denied  { rawip_send } for  saddr=213.84.71.248 daddr=224.0.1.41 
netif=ppp0 scontext=system_u:object_r:unlabeled_t 
tcontext=system_u:object_r:netif_t tclass=netif

avc:  denied  { rawip_send } for  saddr=213.84.71.248 daddr=224.0.1.41 
netif=ppp0 scontext=system_u:object_r:unlabeled_t 
tcontext=system_u:object_r:node_t tclass=node

I am seeing the above in my logs regularly on a server that I have just 
upgraded to the latest LSM with IPSec (which I have not enabled).

It seems that IGMP code is being run as unlabeled_t.

Any ideas on what to do with this?

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: IGMP being blocked
  2002-06-13  9:53 IGMP being blocked Russell Coker
@ 2002-06-13 12:06 ` Stephen Smalley
  2002-06-13 12:23 ` Ed Street
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2002-06-13 12:06 UTC (permalink / raw)
  To: Russell Coker; +Cc: SE Linux


On Thu, 13 Jun 2002, Russell Coker wrote:

> avc:  denied  { rawip_send } for  saddr=213.84.71.248 daddr=224.0.1.41
> netif=ppp0 scontext=system_u:object_r:unlabeled_t
> tcontext=system_u:object_r:netif_t tclass=netif
>
> avc:  denied  { rawip_send } for  saddr=213.84.71.248 daddr=224.0.1.41
> netif=ppp0 scontext=system_u:object_r:unlabeled_t
> tcontext=system_u:object_r:node_t tclass=node
>
> I am seeing the above in my logs regularly on a server that I have just
> upgraded to the latest LSM with IPSec (which I have not enabled).
>
> It seems that IGMP code is being run as unlabeled_t.
>
> Any ideas on what to do with this?

I think that what is happening here is that the IGMP code is allocating a
skb and sending it without ever associating it with a sending socket.
Normally, a skb is initially tagged with the unlabeled SID upon allocation
and later tagged with a SID derived from the sending socket upon
skb_set_owner_w.  Notice that the IGMP code differs from the ICMP code,
which uses a kernel ICMP socket for sends.  I suppose that we could try to
detect these packets in selinux_ip_output_first and then assign them an
initial SID for IGMP traffic.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: IGMP being blocked
  2002-06-13  9:53 IGMP being blocked Russell Coker
  2002-06-13 12:06 ` Stephen Smalley
@ 2002-06-13 12:23 ` Ed Street
  1 sibling, 0 replies; 3+ messages in thread
From: Ed Street @ 2002-06-13 12:23 UTC (permalink / raw)
  To: 'Russell Coker', 'SE Linux'

Hello,

Yes this LOOKS like multicast addresses.  You can disable them by either
turning that feature off or adding a few lines of code

"$IPTABLES" -A INPUT -d 224.0.0.0/4 -J DROP

Would be interesting to see the log that iptables give in this case (to
further know what's going on here)

Ed

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov 
> [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Russell Coker
> Sent: Thursday, June 13, 2002 5:53 AM
> To: SE Linux
> Subject: IGMP being blocked
> 
> 
> avc:  denied  { rawip_send } for  saddr=213.84.71.248 
> daddr=224.0.1.41 
> netif=ppp0 scontext=system_u:object_r:unlabeled_t 
> tcontext=system_u:object_r:netif_t tclass=netif
> 
> avc:  denied  { rawip_send } for  saddr=213.84.71.248 
> daddr=224.0.1.41 
> netif=ppp0 scontext=system_u:object_r:unlabeled_t 
> tcontext=system_u:object_r:node_t tclass=node
> 
> I am seeing the above in my logs regularly on a server that I 
> have just 
> upgraded to the latest LSM with IPSec (which I have not enabled).
> 
> It seems that IGMP code is being run as unlabeled_t.
> 
> Any ideas on what to do with this?
> 
> -- 
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in 
> your address-book so that WHEN you get a virus it won't use 
> my address in the
> >From field.
> 
> --
> You have received this message because you are subscribed to 
> the selinux list. If you no longer wish to subscribe, send 
> mail to majordomo@tycho.nsa.gov with the words "unsubscribe 
> selinux" without quotes as the message.
> 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-06-13 12:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-06-13  9:53 IGMP being blocked Russell Coker
2002-06-13 12:06 ` Stephen Smalley
2002-06-13 12:23 ` Ed Street

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.