656950 – If secmark packets are rejected by SELinux, the calling app should get a eperm returned

Bug 656950 - If secmark packets are rejected by SELinux, the calling app should get a eperm returned

Summary: If secmark packets are rejected by SELinux, the calling app should get a eper...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Eric Paris
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	656952 743245
TreeView+	depends on / blocked

Reported:	2010-11-24 15:14 UTC by Daniel Walsh
Modified:	2011-10-12 17:04 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Clones:	656952 (view as bug list)
Environment:
Last Closed:	2011-10-12 17:04:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Walsh 2010-11-24 15:14:14 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-11-24 15:15:29 UTC

Playing with SECMARK and trying to get certain failure situations, I notice links/firefox hang when selinux is blocking packet flow.

Comment 2 Eric Paris 2010-11-24 15:44:21 UTC

upstream (net-next tree) commits (reverse order)

2fe66ec242d3f76e3b0101f36419e7e5405bcff3
04f6d70f6e64900a5d70a5fc199dd9d5fa787738
1f1aaf82825865a50cef0b4722607abb12aeee52
ee58681195bf243bafc44ca53f3c24429d096cce
da6836500414ae734cd9873c2d553db594f831e9

Comment 3 Kyle McMartin 2010-12-09 22:29:54 UTC

Barf. I assume these are queued for .38?

Comment 4 Eric Paris 2010-12-09 23:24:34 UTC

These secmark commits are all on the way to -38 in
http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git

One or two of these might have already gone to stable:
15714f7b58011cf3948cab2988abea560240c74f
2606fd1fa5710205b23ee859563502aa18362447
1cc63249adfa957b34ca51effdee90ff8261d63f
1ae4de0cdf855305765592647025bde55e85e451
ff660c80d00b52287f1f67ee6c115dc0057bcdde

Actual patches for this bug (same as comment #2)
da6836500414ae734cd9873c2d553db594f831e9
ee58681195bf243bafc44ca53f3c24429d096cce
1f1aaf82825865a50cef0b4722607abb12aeee52
04f6d70f6e64900a5d70a5fc199dd9d5fa787738
2fe66ec242d3f76e3b0101f36419e7e5405bcff3

Note You need to log in before you can comment on or make changes to this bug.