nsupdate and netlink_socket AVCs

Daniel J Walsh dwalsh at redhat.com
Fri Mar 12 04:45:41 UTC 2004


Aleksey Nogin wrote:

> On 11.03.2004 13:18, Daniel J Walsh wrote:
>
>> Is nsupdate a program to be run by an ordinary user? 
>
>
> Yes. But if I understand correctly, it only needs to communicate over 
> UDP or TCP to a DNS server from an unprivileged port. I do not know 
> why it wants netlink_sockets.
>
>> If yes we need to define a security context for nsupdate to allow it 
>> to access the netlink_sockets.
>
>
> Are you sure? _Why_ does nsupdate need it? Is it not an nsupdate 
> deficiency?



Taking a quick look at the code it is doing some stuff to determine if 
it has IPV4 and IPV6 support.  You can define a security context for it 
and give it netlink access.  If you take a look at the named.te file and 
copied the section on ncd_exec_t/ncd_t to nsupdate_exec_t/nsupdate_t you 
could get a good start on it.  Then add

allow nsupdate_t self:netlink_socket create_socket_perms;

Dan




More information about the fedora-selinux-list mailing list