On 4/13/19 3:54 AM, Dominick Grift wrote: > On Sat, Apr 13, 2019 at 02:24:25PM +1000, Russell Coker wrote: >> On Saturday, 13 April 2019 1:26:06 PM AEST Sugar, David wrote: >>> On 4/12/19 10:33 PM, Russell Coker wrote: >>>> What is netlink_kobject_uevent_socket? Do we have a place we can document >>>> this sort of thing to make it easier to determine whether access is >>>> required and what the implications of such access are? >>> >>> I'm really not sure either. But, please note, that this patch is >>> dontaudit rules to quiet some denials that didn't seem to have any >>> negative side effect. If this patch isn't applied things will still >>> function, just have some entries in the audit logs. >> >> There's a good chance the action in question isn't an accident and some aspect >> of the program's functionality will be changed. I think it's best to have an >> idea of what the issue was before putting in a dontaudit rule, if some >> configuration of that program actually needs such functionality then a >> dontaudit will make it inconvenient to track it down. >> >> Have you tried running strace or ltrace to see what it's doing? > > I agree that this probably shouldnt be dontaudited. This is a common pattern for "udev clients" > > The kobject_uevent socket aspect is probably to monitor devices (equivalent to `udevadm monitor`) > This should be skipped and not merged. Would you like this set to be resubmitted without this particular patch? >> >> -- >> My Main Blog http://etbe.coker.com.au/ >> My Documents Blog http://doc.coker.com.au/ >> >
