On Sunday, 14 April 2019 1:36:07 AM AEST Sugar, David wrote: > >>> Why is a socket that everything sends to labeled as kernel_t? > >> > >> Russell, you aren't seeing this type of access on Debian? > > > > > > > > > > ifdef(`init_systemd',` > > > > init_domain($1, $2) > > # this may be because of late labelling > > kernel_dgram_send($1) > > > > > > > > allow $1 init_t:unix_dgram_socket sendto; > > > > ') > > > > > > The above is in the upstream policy in the init_daemon_domain() > > interface. > > Not sure why. > > > > I've put in an auditallow rule and so far haven't been able to reproduce > > it. > > So we can probably remove that line. > > > > > Upstream RHEL is setting up the attribute 'syslog_client_type', has > 'typeattribute $1 syslog_client_type' in logging_send_syslog_msg () > > and then > ifdef(`hide_broken_symptoms',` > kernel_dgram_send(syslog_client_type) > ') > in logging.te Well they are stating that it's a symptom of brokenness... > When not allowing this access I get a RHEL system that will not boot. > I'm happy to put this in an 'ifdef distro_redhat'. Please let me know > the preference on how to proceed. Yes ifdef distro_redhat seems like a good idea. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
