From: James Morris [EMAIL PROTECTED]
Date: Thu, 5 Oct 2006 16:58:31 -0400 (EDT)
On Tue, 3 Oct 2006, David Miller wrote:
The socket policy behavior deserves some scrutiny. I say this because
if a matching socket policy is avoided due to security layer error,
this could potentially make
On Tue, 3 Oct 2006, David Miller wrote:
The socket policy behavior deserves some scrutiny. I say this because
if a matching socket policy is avoided due to security layer error,
this could potentially make key manager problems very hard to
diagnose.
In this case, AVC denial messages would
On Wed, 4 Oct 2006, Evgeniy Polyakov wrote:
Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686 i686 i386 GNU/Linux
[EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.3.17-2
I get only this messages in audit.log when remote racoon tries to
connect to
On Tue, Oct 03, 2006 at 04:18:07PM -0700, David Miller wrote:
As I review this patch I realize there is a question of
semantics and prioritization here.
Indeed. Unfortunately I was doing other things at the time
sub-policies were introduced so I didn't pay attention to it.
After a quick
for IPsec leakage with SELinux enabled - V.02
On Wed, 4 Oct 2006, Evgeniy Polyakov wrote:
Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED] ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.3.17-2
I get only this messages
From: James Morris [EMAIL PROTECTED]
Date: Mon, 2 Oct 2006 10:27:13 -0400 (EDT)
Updated version of the patch, which return directly after a flow cache
lookup error in xfrm_lookup rather than returing via the cleanup path
(which was causing a spurious dst_release).
This works for me,
On Tue, 3 Oct 2006, David Miller wrote:
I'm not saying either is wrong, I'm just pointing it out to make sure
this is intentional.
The socket policy behavior deserves some scrutiny. I say this because
if a matching socket policy is avoided due to security layer error,
this could
On Mon, Oct 02, 2006 at 12:41:57PM -0400, James Morris ([EMAIL PROTECTED])
wrote:
You can get recent policy packages via the devel repo, which I'd suggest
if you're using development (or DIY) kernels.
[EMAIL PROTECTED] ~]# uname -a
Linux kano 2.6.18 #5 SMP Mon Oct 2 18:44:30 MSD 2006 i686
On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED])
wrote:
Updated version of the patch, which return directly after a flow cache
lookup error in xfrm_lookup rather than returing via the cleanup path
(which was causing a spurious dst_release).
This works for me,
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote:
On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED])
wrote:
Updated version of the patch, which return directly after a flow cache
lookup error in xfrm_lookup rather than returing via the cleanup path
(which was causing
On Mon, Oct 02, 2006 at 12:13:45PM -0400, James Morris ([EMAIL PROTECTED])
wrote:
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote:
On Mon, Oct 02, 2006 at 10:27:13AM -0400, James Morris ([EMAIL PROTECTED])
wrote:
Updated version of the patch, which return directly after a flow cache
On Mon, 2 Oct 2006, Evgeniy Polyakov wrote:
Can you look in /var/log/audit/audit.log ? (especially grep for
'association' )
Indeed.
type=AVC msg=audit(1159804556.391:21): avc: denied { polmatch } for
pid=2213 comm=racoon scontext=root:system_r:unconfined_t:s0-s0:c0.c255
12 matches
Mail list logo
