[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: nsupdate and netlink_socket AVCs

From: Daniel J Walsh <dwalsh redhat com>
To: fedora-selinux-list redhat com
Subject: Re: nsupdate and netlink_socket AVCs
Date: Thu, 11 Mar 2004 23:45:41 -0500

Aleksey Nogin wrote:

On 11.03.2004 13:18, Daniel J Walsh wrote:

Is nsupdate a program to be run by an ordinary user?

Yes. But if I understand correctly, it only needs to communicate over UDP or TCP to a DNS server from an unprivileged port. I do not know why it wants netlink_sockets.

If yes we need to define a security context for nsupdate to allow it to access the netlink_sockets.

Are you sure? _Why_ does nsupdate need it? Is it not an nsupdate deficiency?

Taking a quick look at the code it is doing some stuff to determine if it has IPV4 and IPV6 support. You can define a security context for it and give it netlink access. If you take a look at the named.te file and copied the section on ncd_exec_t/ncd_t to nsupdate_exec_t/nsupdate_t you could get a good start on it. Then add

allow nsupdate_t self:netlink_socket create_socket_perms;

Dan

References:
- nsupdate and netlink_socket AVCs
  - From: Aleksey Nogin
- Re: nsupdate and netlink_socket AVCs
  - From: Daniel J Walsh
- Re: nsupdate and netlink_socket AVCs
  - From: Aleksey Nogin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]