On Tue, 2012-07-24 at 15:32 -0700, Haiqing Jiang wrote:
> Hi, Stephen
>
>
> I find the denial. But have not ideas about the exact object related
> to the denial. Please let me know your comments. Thanks.
>
>
> #============= mediaserver ==============
> allow mediaserver rild:unix_stream_socket connectto;
>
> <5>[ 9719.676422] type=1400 audit(1343162276.710:1512): avc: denied
> { connectto } for pid=519 comm=42696E646572205468726561642023
> path=004D756C7469636C69656E74 scontext=u:r:mediaserver:s0
> tcontext=u:r:rild:s0 tclass=unix_stream_socket
Oh, it is a socket in the abstract namespace (path starts with the null
byte). So it is not the /dev/socket/rild socket that is in view here.
So I guess you can add:
allow mediaserver rild:unix_stream_socket connectto;
and not use the unix_socket_connect() macro because we do not want to
allow use of /dev/socket/rild, only the abstract socket connection.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
