Selinux: strange sshd denial messages

Since upgrading to the modular strict SELinux policy, I am
seeing an 
occasional audit message from sshd, which look like this:

Mar 22 16:53:56 [kernel] audit(1174596836.010:9): avc: 
denied   
for  pid=4624 comm="sshd" saddr=192.168.100.64
src=22 
daddr=192.168.100.79 dest=2019 netif=eth0 
scontext=system_u:system_r:sshd_t
tcontext=system_u:object_r:shlib_t 
tclass=packet
Mar 22 16:58:33 [kernel] audit(1174597113.174:10): avc: 
denied   for  pid=4624 comm="sshd" saddr=192.168.100.64
src=22 
daddr=192.168.100.79 dest=2019 netif=eth0 
scontext=system_u:system_r:sshd_t 
tcontext=system_u:object_r:modules_object_t tclass=packet

The strange part, to me, is that the ssh connection being
referenced by 
the error is the connection I'm currently using to log into
the system. 
  This means that it's been sending and receiving packets
pretty 
steadily for at least 3 hours, and only generated two denial
messages. 
Even more unusual, the target context changed between the
two messages.

Since I'm still running in permissive mode, this isn't
actually causing 
real problems, and I'm tempted to just dontaudit them away,
but does 
anyone know why this behavior would occur, and if I should
be concerned 
about fixing it?

--Mike
-- 
gentoo-hardenedgentoo.org mailing list

I had the same issue and as far as I remember, it was caused
by the
following kernel configuration option:

"Security options ---> "NSA SELinux enable new
secmark network controls
by default"

Gentoo Selinux Handbook says that it should be disabled, and
help in the
kernel config says "If you are unsure what do do here,
select N.".

Regards,
Marek Wróbel
-- 
gentoo-hardenedgentoo.org mailing list