Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 | netdev

(off-list ancestor, not in this archive)
Re: Is TCP over IPsec broken in 2.6.18? · Herbert Xu <herbert@gondor.apana.org.au> · 2006-09-25
Re: Is TCP over IPsec broken in 2.6.18? · Evgeniy Polyakov <hidden> · 2006-09-25
Re: Is TCP over IPsec broken in 2.6.18? · jamal <hidden> · 2006-09-25
Re: Is TCP over IPsec broken in 2.6.18? · James Morris <jmorris@namei.org> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · James Morris <jmorris@namei.org> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · James Morris <jmorris@namei.org> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · Evgeniy Polyakov <hidden> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · James Morris <jmorris@namei.org> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · Evgeniy Polyakov <hidden> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · Evgeniy Polyakov <hidden> · 2006-09-30
Re: Is TCP over IPsec broken in 2.6.18? · James Morris <jmorris@namei.org> · 2006-09-30
[PATCH] Fix for IPsec leakage with SELinux enabled · James Morris <jmorris@namei.org> · 2006-10-01
Re: [PATCH] Fix for IPsec leakage with SELinux enabled · Evgeniy Polyakov <hidden> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled · James Morris <jmorris@namei.org> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled · Evgeniy Polyakov <hidden> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled · James Morris <jmorris@namei.org> · 2006-10-02
[PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · James Morris <jmorris@namei.org> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · Evgeniy Polyakov <hidden> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · James Morris <jmorris@namei.org> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · Evgeniy Polyakov <hidden> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · James Morris <jmorris@namei.org> · 2006-10-02
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · Evgeniy Polyakov <hidden> · 2006-10-04
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · James Morris <jmorris@namei.org> · 2006-10-04
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · David Miller <davem@davemloft.net> · 2006-10-03
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · James Morris <jmorris@namei.org> · 2006-10-04
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · Herbert Xu <herbert@gondor.apana.org.au> · 2006-10-04
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · James Morris <jmorris@namei.org> · 2006-10-05
Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · David Miller <davem@davemloft.net> · 2006-10-05

Re: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02

From: James Morris <jmorris@namei.org>
Date: 2006-10-04 13:00:12

Possibly related (same subject, not in this thread)

2006-10-04 · RE: [PATCH] Fix for IPsec leakage with SELinux enabled - V.02 · Venkat Yekkirala <hidden>

On Wed, 4 Oct 2006, Evgeniy Polyakov wrote:

Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 i686 i386 GNU/Linux
[root@kano ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.3.17-2

I get only this messages in audit.log when remote racoon tries to
connect to system with selinux enabled in enforcing mode:

I think the policy has just not been written for racoon, and it's being 
denied by deault (cd'd Dan Walsh).

type=AVC msg=audit(1159938297.845:625): avc:  denied  { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=association
type=AVC msg=audit(1159938297.845:626): avc:  denied  { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
type=AVC msg=audit(1159938307.837:627): avc:  denied  { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
type=AVC msg=audit(1159938317.838:628): avc:  denied  { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
type=AVC msg=audit(1159938327.839:629): avc:  denied  { polmatch } for
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association

It is with your patch applied.
Should I try Venkat's or it is unrelated problem?

quoted

-- 
James Morris
[off-list ref]

-- 
James Morris
[off-list ref]

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help