systat needs perms for proc_net_t?
Tom London
selinux at gmail.com
Sat Nov 27 19:30:39 UTC 2004
Running strict/enforcing off of latest Rawhide:
I get:
Nov 27 11:10:01 fedora kernel: audit(1101582601.882:0): avc: denied
{ search } for pid=8407 exe=/usr/lib/sa/sadc name=net dev=proc
ino=-268435434 scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Nov 27 11:10:01 fedora kernel: audit(1101582601.884:0): avc: denied
{ search } for pid=8407 exe=/usr/lib/sa/sadc name=net dev=proc
ino=-268435434 scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:proc_net_t tclass=dir
every 10 minutes or so...
I made the following patch to sysstat.te to add
read perms for proc_net_t.
That right?
tom
--- SAVE/sysstat.te 2004-11-27 11:19:14.988551119 -0800
+++ ./sysstat.te 2004-11-27 11:20:08.235155773 -0800
@@ -51,8 +51,8 @@
allow sysstat_t fs_t:filesystem getattr;
# get info from /proc
-allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t
sysctl_rpc_t }:dir r_dir_perms;
-allow sysstat_t { proc_t sysctl_kernel_t sysctl_t sysctl_fs_t
sysctl_rpc_t }:file { read getattr };
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t
sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
+allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t
sysctl_fs_t sysctl_rpc_t }:file { read getattr };
domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
allow sysstat_t init_t:fd use;
--
Tom London
More information about the fedora-selinux-list
mailing list