Is nsupdate a program to be run by an ordinary user? If yes we need to define a security context for nsupdate to allow it to access the netlink_sockets.
If we allow users access that any rogue app the user runs could access the network devices.
Dan
If I attempt to use nsupdate from under an ordinary user (which shouldn't be a problem, should it?), then I see
audit(1079022100.499:0): avc: denied { bind } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.499:0): avc: denied { getattr } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.499:0): avc: denied { write } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket
audit(1079022100.500:0): avc: denied { read } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket
Not sure what this is all about.
