Stuff I found in my log?
Paul Howarth
paul at city-fan.org
Wed May 24 14:03:22 UTC 2006
Stephen Smalley wrote:
> On Wed, 2006-05-24 at 09:33 -0400, Daniel J Walsh wrote:
>>> I get these too. I asked about it yesterday but no response yet. Looking
>>> at the policy for other packages, and bearing in mind that webalizer
>>> still seems to work despite the denials, I suspect that these can be
>>> dontaudit-ed, but I'd like to know what they are first.
>>>
>> This means webalizer is trying to look at the routing table. Not sure
>> whether it matters whether it can or can not. Not that
>> valuable of information so I will probably allow.
>
> It is a common access attempt due to library probing. We commonly
> dontaudit it, but you could allow the read-only form (i.e. create read
> write nlmsg_read) to get routing information without being able to
> modify it (which requires nlmsg_write). Note the distinction: read and
> write permission means the ability to communicate with the kernel over
> the socket which is required for any kind of operation, whereas
> nlmsg_read and nlmsg_write correspond to the actual reading and writing
> of the routing table info (or other netlink-provided data).
Is there a macro shorthand form of this or do I need to do:
# Allow webalizer to read the routing table
allow webalizer_t self:netlink_route_socket { create read write
nlmsg_read };
Paul.
More information about the fedora-selinux-list
mailing list