[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: nsupdate and netlink_socket AVCs

From: Daniel J Walsh <dwalsh redhat com>
To: fedora-selinux-list redhat com
Subject: Re: nsupdate and netlink_socket AVCs
Date: Thu, 11 Mar 2004 16:18:43 -0500

Aleksey Nogin wrote: Is nsupdate a program to be run by an ordinary user? If yes we need to define a security context for nsupdate to allow it to access the netlink_sockets.

If we allow users access that any rogue app the user runs could access the network devices.

Dan

If I attempt to use nsupdate from under an ordinary user (which shouldn't be a problem, should it?), then I see

audit(1079022100.499:0): avc: denied { bind } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.499:0): avc: denied { getattr } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.499:0): avc: denied { write } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.500:0): avc: denied { read } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket

Not sure what this is all about.

Follow-Ups:
- Re: nsupdate and netlink_socket AVCs
  - From: James Morris
- Re: nsupdate and netlink_socket AVCs
  - From: Aleksey Nogin

References:
- nsupdate and netlink_socket AVCs
  - From: Aleksey Nogin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]