| 1 |
Since upgrading to the modular strict SELinux policy, I am seeing an |
| 2 |
occasional audit message from sshd, which look like this: |
| 3 |
|
| 4 |
Mar 22 16:53:56 [kernel] audit(1174596836.010:9): avc: denied { send } |
| 5 |
for pid=4624 comm="sshd" saddr=192.168.100.64 src=22 |
| 6 |
daddr=192.168.100.79 dest=2019 netif=eth0 |
| 7 |
scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:shlib_t |
| 8 |
tclass=packet |
| 9 |
Mar 22 16:58:33 [kernel] audit(1174597113.174:10): avc: denied { send |
| 10 |
} for pid=4624 comm="sshd" saddr=192.168.100.64 src=22 |
| 11 |
daddr=192.168.100.79 dest=2019 netif=eth0 |
| 12 |
scontext=system_u:system_r:sshd_t |
| 13 |
tcontext=system_u:object_r:modules_object_t tclass=packet |
| 14 |
|
| 15 |
The strange part, to me, is that the ssh connection being referenced by |
| 16 |
the error is the connection I'm currently using to log into the system. |
| 17 |
This means that it's been sending and receiving packets pretty |
| 18 |
steadily for at least 3 hours, and only generated two denial messages. |
| 19 |
Even more unusual, the target context changed between the two messages. |
| 20 |
|
| 21 |
Since I'm still running in permissive mode, this isn't actually causing |
| 22 |
real problems, and I'm tempted to just dontaudit them away, but does |
| 23 |
anyone know why this behavior would occur, and if I should be concerned |
| 24 |
about fixing it? |
| 25 |
|
| 26 |
--Mike |
| 27 |
-- |
| 28 |
gentoo-hardened@g.o mailing list |
Archives