[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Stuff I found in my log?

Stephen Smalley wrote:
On Wed, 2006-05-24 at 09:33 -0400, Daniel J Walsh wrote:
I get these too. I asked about it yesterday but no response yet. Looking
at the policy for other packages, and bearing in mind that webalizer
still seems to work despite the denials, I suspect that these can be
dontaudit-ed, but I'd like to know what they are first.
This means webalizer is trying to look at the routing table. Not sure whether it matters whether it can or can not. Not that
valuable of information so I will probably allow.

It is a common access attempt due to library probing.  We commonly
dontaudit it, but you could allow the read-only form (i.e. create read
write nlmsg_read) to get routing information without being able to
modify it (which requires nlmsg_write).  Note the distinction:  read and
write permission means the ability to communicate with the kernel over
the socket which is required for any kind of operation, whereas
nlmsg_read and nlmsg_write correspond to the actual reading and writing
of the routing table info (or other netlink-provided data).

Is there a macro shorthand form of this or do I need to do:

# Allow webalizer to read the routing table
allow webalizer_t self:netlink_route_socket { create read write nlmsg_read };


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]