1 |
Since upgrading to the modular strict SELinux policy, I am seeing an |
2 |
occasional audit message from sshd, which look like this: |
3 |
|
4 |
Mar 22 16:53:56 [kernel] audit(1174596836.010:9): avc: denied { send } |
5 |
for pid=4624 comm="sshd" saddr=192.168.100.64 src=22 |
6 |
daddr=192.168.100.79 dest=2019 netif=eth0 |
7 |
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:shlib_t |
8 |
tclass=packet |
9 |
Mar 22 16:58:33 [kernel] audit(1174597113.174:10): avc: denied { send |
10 |
} for pid=4624 comm="sshd" saddr=192.168.100.64 src=22 |
11 |
daddr=192.168.100.79 dest=2019 netif=eth0 |
12 |
scontext=system_u:system_r:sshd_t |
13 |
tcontext=system_u:object_r:modules_object_t tclass=packet |
14 |
|
15 |
The strange part, to me, is that the ssh connection being referenced by |
16 |
the error is the connection I'm currently using to log into the system. |
17 |
This means that it's been sending and receiving packets pretty |
18 |
steadily for at least 3 hours, and only generated two denial messages. |
19 |
Even more unusual, the target context changed between the two messages. |
20 |
|
21 |
Since I'm still running in permissive mode, this isn't actually causing |
22 |
real problems, and I'm tempted to just dontaudit them away, but does |
23 |
anyone know why this behavior would occur, and if I should be concerned |
24 |
about fixing it? |
25 |
|
26 |
--Mike |
27 |
-- |
28 |
gentoo-hardened@g.o mailing list |