Aleksey Nogin wrote:
On 11.03.2004 13:18, Daniel J Walsh wrote:
Is nsupdate a program to be run by an ordinary user?
Yes. But if I understand correctly, it only needs to communicate over UDP or TCP to a DNS server from an unprivileged port. I do not know why it wants netlink_sockets.
If yes we need to define a security context for nsupdate to allow it to access the netlink_sockets.
Are you sure? _Why_ does nsupdate need it? Is it not an nsupdate deficiency?
Taking a quick look at the code it is doing some stuff to determine if it has IPV4 and IPV6 support. You can define a security context for it and give it netlink access. If you take a look at the named.te file and copied the section on ncd_exec_t/ncd_t to nsupdate_exec_t/nsupdate_t you could get a good start on it. Then add
allow nsupdate_t self:netlink_socket create_socket_perms;
Dan
