nsupdate and netlink_socket AVCs
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 11 21:18:43 UTC 2004
Aleksey Nogin wrote:
Is nsupdate a program to be run by an ordinary user?
If yes we need to define a security context for nsupdate to allow it to
access the netlink_sockets.
If we allow users access that any rogue app the user runs could access
the network devices.
Dan
> If I attempt to use nsupdate from under an ordinary user (which
> shouldn't be a problem, should it?), then I see
>
> audit(1079022100.499:0): avc: denied { bind } for pid=18759
> exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
> tcontext=user_u:user_r:user_t tclass=netlink_socket
> audit(1079022100.499:0): avc: denied { getattr } for pid=18759
> exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
> tcontext=user_u:user_r:user_t tclass=netlink_socket
> audit(1079022100.499:0): avc: denied { write } for pid=18759
> exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
> tcontext=user_u:user_r:user_t tclass=netlink_socket
> audit(1079022100.500:0): avc: denied { read } for pid=18759
> exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t
> tcontext=user_u:user_r:user_t tclass=netlink_socket
>
> Not sure what this is all about.
>
More information about the fedora-selinux-list
mailing list