On Mon, 2012-07-30 at 13:11 -0700, Haiqing Jiang wrote:
> Hi, Stephen,
>
>
> Could you give me some suggestions for the understanding the denials
> as shown below?
>
>
> #============= release_app ==============
> allow release_app zygote:netlink_selinux_socket getattr;
>
> <5>[13011.539764] type=1400 audit(1343515886.695:592): avc: denied
> { getattr } for pid=10278 comm="ationTestRunner" path="socket:[1516]"
> dev=sockfs ino=1516 scontext=u:r:release_app:s0 tcontext=u:r:zygote:s0
> tclass=netlink_selinux_socket
Just dontaudit it. No need for the app to be able to use a
NETLINK_SELINUX socket.
> #============= untrusted_app ==============
> allow untrusted_app self:netlink_route_socket create;
>
> <5>[13900.251708] type=1400 audit(1343516775.406:801): avc: denied
> { create } for pid=15089 comm="WebViewCoreThre"
> scontext=u:r:untrusted_app:s0:c39 tcontext=u:r:untrusted_app:s0:c39
> tclass=netlink_route_socket
Might be required for some apps; should be added under app_network
boolean, as:
# Get route information.
allow untrusted_app self:netlink_route_socket { create bind read
nlmsg_read };
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
