Re: binding and listening to port work with SELinux, but the process is unable receive data from clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/20/19 10:56 AM, SZIGETVÁRI János wrote:
Hi Stephen,

I have to admit, I forgot to mention, that I was creating the policy on RHEL 7.5, not Fedora.

Nonetheless, the same appears to be true on Fedora. dontaudit rules for all domains obviously make it harder to debug and develop policies for new domains. They should be kept to a minimum.

I suspect these rules were to silence "noisy" denials when sockets are created without SOCK_CLOEXEC and then the process execs into a different domain. But a) in some of those cases, we probably do need/want to allow inheritance, so we need to see those denials, and b) we shouldn't silence the self case. Unfortunately we don't have a way to write rules that exclude self currently.


Sorry about that!
János

Stephen Smalley <sds@xxxxxxxxxxxxx <mailto:sds@xxxxxxxxxxxxx>> ezt írta (időpont: 2019. márc. 20., Sze, 15:45):


    Obvious question is why are these being dontaudit'd by Fedora policy.

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux