Re: [2.6.20.17 review 00/58] 2.6.20.17 -stable review

[Stephen Smalley]

On Wed, 2007-08-22 at 16:29 +0200, Michal Piotrowski wrote:
> On 22/08/07, James Morris <jmorris@xxxxxxxxx> wrote:
> > On Wed, 22 Aug 2007, Stephen Smalley wrote:
> >
> > > Oops, never mind - tail still follows secmark, so that shouldn't matter.
> > > So I'm not sure why we are getting a bad value for secmark here - should
> > > be initialized to zero and never modified unless there is an iptables
> > > secmark rule.
> >
> > Michal, do you see this in current git?
> 
> No, I do not see this problem in 2.6.23. I had similar problem last
> month, but it is fixed now.
> 
> http://lkml.org/lkml/2007/7/12/362

The difference being that there the denials were against unlabeled_t
(the expected default in the presence of no iptables SECMARK rules, and
allowed by current policies), while the denials against 2.6.20.17 were
against kernel_t.  Which shouldn't ever happen unless you have an
iptables SECMARK rule that assigns that value to a packet.  So this is a
different issue.  BTW, the fact that it is showing up as kernel_t means
that skb->secmark == SECINITSID_KERNEL == 1, FWIW.  Whereas it should be
zero in the absence of iptables rules that set it.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/