[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Stuff I found in my log?



On Wed, 2006-05-24 at 15:03 +0100, Paul Howarth wrote:
> Stephen Smalley wrote:
> > On Wed, 2006-05-24 at 09:33 -0400, Daniel J Walsh wrote:
> >>> I get these too. I asked about it yesterday but no response yet. Looking
> >>> at the policy for other packages, and bearing in mind that webalizer
> >>> still seems to work despite the denials, I suspect that these can be
> >>> dontaudit-ed, but I'd like to know what they are first.
> >>>   
> >> This means webalizer is trying to look at the routing table.  Not sure 
> >> whether it matters whether it can or can not.  Not that
> >> valuable of information so I will probably allow.
> > 
> > It is a common access attempt due to library probing.  We commonly
> > dontaudit it, but you could allow the read-only form (i.e. create read
> > write nlmsg_read) to get routing information without being able to
> > modify it (which requires nlmsg_write).  Note the distinction:  read and
> > write permission means the ability to communicate with the kernel over
> > the socket which is required for any kind of operation, whereas
> > nlmsg_read and nlmsg_write correspond to the actual reading and writing
> > of the routing table info (or other netlink-provided data).
> 
> Is there a macro shorthand form of this or do I need to do:
> 
> # Allow webalizer to read the routing table
> allow webalizer_t self:netlink_route_socket { create read write 
> nlmsg_read };

policy/support/obj_perm_sets.spt defines r_netlink_socket_perms for that
purpose, and rw_netlink_socket_perms for read-and-modify access.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]