On Wed, 2007-08-22 at 16:29 +0200, Michal Piotrowski wrote: > On 22/08/07, James Morris <[EMAIL PROTECTED]> wrote: > > On Wed, 22 Aug 2007, Stephen Smalley wrote: > > > > > Oops, never mind - tail still follows secmark, so that shouldn't matter. > > > So I'm not sure why we are getting a bad value for secmark here - should > > > be initialized to zero and never modified unless there is an iptables > > > secmark rule. > > > > Michal, do you see this in current git? > > No, I do not see this problem in 2.6.23. I had similar problem last > month, but it is fixed now. > > http://lkml.org/lkml/2007/7/12/362
The difference being that there the denials were against unlabeled_t (the expected default in the presence of no iptables SECMARK rules, and allowed by current policies), while the denials against 2.6.20.17 were against kernel_t. Which shouldn't ever happen unless you have an iptables SECMARK rule that assigns that value to a packet. So this is a different issue. BTW, the fact that it is showing up as kernel_t means that skb->secmark == SECINITSID_KERNEL == 1, FWIW. Whereas it should be zero in the absence of iptables rules that set it. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
