On Thu, 2004-10-07 at 01:42, Valdis.Kletnieks@xxxxxx wrote:
> audit(1097111349.727:0): avc: denied { tcp_recv } for pid=2
> comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo
> scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:netif_lo_t
> tclass=netif
> audit(1097111349.754:0): avc: denied { tcp_recv } for pid=2
> comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo
> scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:node_lo_t
> tclass=node
> audit(1097111349.782:0): avc: denied { recv_msg } for pid=2
> comm=ksoftirqd/0 saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=59639 netif=lo
> scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:smtp_port_t
> tclass=tcp_socket
>
> At least for the recv_msg error, I *think* the message is generated because
> when we get into net/socket.c, we call security_socket_recvmsg() in
> __recv_msg() - and (possibly only when we have the VP patch applied?) at that
> point we're in a softirqd context rather than the context of the process that
> will finally receive the packet, so the SELinux code ends up checking the
> wrong
> credentials. I've not waded through the code enough to figure out exactly
> where the two tcp_recv messages are generated, but I suspect the root cause is
> the same for all three messages.
Valdis,
These permission checks are based on the receiving socket security
context, not any process security context, and are performed by the
sock_rcv_skb hook when mediating packet receipt on a socket. The
auxiliary pid and comm or exe information is meaningless for such
checks. avc_audit could possibly be modified to check whether we are in
softirq and omit them in those cases from the audit messages. This has
been discussed previously on the selinux mailing list, please see the
archives.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
|