On Sep 12, 2017 7:01 AM, "Dominick Grift" <dac.override@xxxxxxxxx> wrote:
I have extended socket class polcap enabled but i am still seeing "socket" class events and i was wondering whether that is to be expected?
avc: denied { create } for pid=10484 comm="nethogs" scontext=wheel.id:sysadm.role:nethogs.subj:s0 tcontext=wheel.id:sysadm.role: nethogs.subj:s0 tclass=socket permissive=0
This seems to be common to processes that also create (and map! [1]) "packet_socket" sockets (tcpdump/nethogs)
[1] avc: denied { map } for pid=10525 comm="nethogs" path="socket:[56040]" dev="sockfs" ino=56040 scontext=wheel.id:sysadm.role:nethogs.subj:s0 tcontext=wheel.id:sysadm.role: nethogs.subj:s0 tclass=packet_socket permissive=0
No, that is not expected. Can you enable sys call audit and get those records?
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search= 0x3B6C5F1D2C7B6B02
Dominick Grift
