[policy-1.8-22] Bringing a device via hotplug AVCs
Stephen Smalley
sds at epoch.ncsc.mil
Fri Mar 19 13:18:16 UTC 2004
On Fri, 2004-03-19 at 07:46, Daniel J Walsh wrote:
> Aleksey Nogin wrote:
>
> > The list is now much smaller than it used to be. I see:
> >
> > audit(1079689114.447:0): avc: denied { read } for pid=1615
> > exe=/sbin/route name=resolv.conf dev=hda2 ino=229950
> > scontext=system_u:system_r:hotplug_t
> > tcontext=system_u:object_r:net_conf_t tclass=file
> > audit(1079689114.448:0): avc: denied { getattr } for pid=1615
> > exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950
> > scontext=system_u:system_r:hotplug_t
> > tcontext=system_u:object_r:net_conf_t tclass=file
> > audit(1079689115.057:0): avc: denied { udp_recv } for
> > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> > scontext=system_u:system_r:hotplug_t
> > tcontext=system_u:object_r:netif_t tclass=netif
> > audit(1079689115.057:0): avc: denied { udp_recv } for
> > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> > scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t
> > tclass=node
> > audit(1079689115.057:0): avc: denied { recv_msg } for
> > saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> > scontext=system_u:system_r:hotplug_t
> > tcontext=system_u:object_r:dns_port_t tclass=udp_socket Aleksey Nogin
> > wrote:
> >
> >> The list is now much smaller than it used to be. I see:
> >>
> >> audit(1079689114.447:0): avc: denied { read } for pid=1615
> >> exe=/sbin/route name=resolv.conf dev=hda2 ino=229950
> >> scontext=system_u:system_r:hotplug_t
> >> tcontext=system_u:object_r:net_conf_t tclass=file
> >> audit(1079689114.448:0): avc: denied { getattr } for pid=1615
> >> exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950
> >> scontext=system_u:system_r:hotplug_t
> >> tcontext=system_u:object_r:net_conf_t tclass=file
> >> audit(1079689115.057:0): avc: denied { udp_recv } for
> >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> >> scontext=system_u:system_r:hotplug_t
> >> tcontext=system_u:object_r:netif_t tclass=netif
> >> audit(1079689115.057:0): avc: denied { udp_recv } for
> >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> >> scontext=system_u:system_r:hotplug_t
> >> tcontext=system_u:object_r:node_t tclass=node
> >> audit(1079689115.057:0): avc: denied { recv_msg } for
> >> saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0
> >> scontext=system_u:system_r:hotplug_t
> >> tcontext=system_u:object_r:dns_port_t tclass=udp_socket
> >>
> >
> >
> Updated policy to handle all your avc messages, not sure what to do with
> the last ones though.
Should /sbin/route run in netutils_t (in general, both from hotplug_t
and from sysadm_t)?
In any event, hotplug_t is likely a candidate for unconfined_domain() in
the limited policy, as is insmod_t.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list