Re: [policy-1.8-19] Reading the hostname AVCs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 19 Mar 2004 19:57, Aleksey Nogin <aleksey@xxxxxxxxx> wrote:
> When running hostname (or hostname -s) to _get_ (not set) the hostname
> as a "staff" user - under sysadm_r:
>
> The socket ones are coming from, I believe, trying to access
> /var/run/nscd/socket that does not exist (nscd was never used on this
> machine).

allow hostname_t net_conf_t:file { getattr read };
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t var_t:dir search;
allow hostname_t fs_t:filesystem getattr;

The above 4 lines of policy will permit the access to net_cont_t and to 
creating unix_stream_socket's (although I don't know why it does either of 
these things).  It may need can_network() although so far none of my tests 
have had it use any TCP/IP functionality.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux