Re: [policy-1.8-22] Bringing a device via hotplug AVCs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 19 Mar 2004 20:47, Aleksey Nogin <aleksey@xxxxxxxxx> wrote:
> The list is now much smaller than it used to be. I see:
>
> audit(1079689114.447:0): avc:  denied  { read } for  pid=1615
> exe=/sbin/route name=resolv.conf dev=hda2 ino=229950
> scontext=system_u:system_r:hotplug_t
> tcontext=system_u:object_r:net_conf_t tclass=file
> audit(1079689114.448:0): avc:  denied  { getattr } for  pid=1615
> exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950
> scontext=system_u:system_r:hotplug_t
> tcontext=system_u:object_r:net_conf_t tclass=file
> audit(1079689115.057:0): avc:  denied  { udp_recv } for
> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t
> tclass=netif

can_network(hotplug_t)
The above rule solved all that.  I'm not sure that's what we desire though.  
Maybe the program that calls /sbin/route should be running in a different 
domain?  How is this wavelan stuff setup?  Why is it different from an 
ethernet device?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux