[policy-1.8-19] Reading the hostname AVCs
Russell Coker
russell at coker.com.au
Fri Mar 19 09:47:24 UTC 2004
On Fri, 19 Mar 2004 19:57, Aleksey Nogin <aleksey at nogin.org> wrote:
> When running hostname (or hostname -s) to _get_ (not set) the hostname
> as a "staff" user - under sysadm_r:
>
> The socket ones are coming from, I believe, trying to access
> /var/run/nscd/socket that does not exist (nscd was never used on this
> machine).
allow hostname_t net_conf_t:file { getattr read };
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t var_t:dir search;
allow hostname_t fs_t:filesystem getattr;
The above 4 lines of policy will permit the access to net_cont_t and to
creating unix_stream_socket's (although I don't know why it does either of
these things). It may need can_network() although so far none of my tests
have had it use any TCP/IP functionality.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list