When running hostname (or hostname -s) to _get_ (not set) the hostname as a "staff" user - under sysadm_r:
audit(1079685457.360:0): avc: denied { read } for pid=9499 exe=/bin/hostname name=resolv.conf dev=hda2 ino=229950 scontext=aleksey:sysadm_r:hostname_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079685457.361:0): avc: denied { getattr } for pid=9499 exe=/bin/hostname path=/etc/resolv.conf dev=hda2 ino=229950 scontext=aleksey:sysadm_r:hostname_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079685457.361:0): avc: denied { create } for pid=9499 exe=/bin/hostname scontext=aleksey:sysadm_r:hostname_t tcontext=aleksey:sysadm_r:hostname_t tclass=unix_stream_socket audit(1079685457.361:0): avc: denied { connect } for pid=9499 exe=/bin/hostname scontext=aleksey:sysadm_r:hostname_t tcontext=aleksey:sysadm_r:hostname_t tclass=unix_stream_socket
The socket ones are coming from, I believe, trying to access /var/run/nscd/socket that does not exist (nscd was never used on this machine).
On Fri, 19 Mar 2004 19:57, Aleksey Nogin aleksey@nogin.org wrote:
When running hostname (or hostname -s) to _get_ (not set) the hostname as a "staff" user - under sysadm_r:
The socket ones are coming from, I believe, trying to access /var/run/nscd/socket that does not exist (nscd was never used on this machine).
allow hostname_t net_conf_t:file { getattr read }; allow hostname_t self:unix_stream_socket create_stream_socket_perms; dontaudit hostname_t var_t:dir search; allow hostname_t fs_t:filesystem getattr;
The above 4 lines of policy will permit the access to net_cont_t and to creating unix_stream_socket's (although I don't know why it does either of these things). It may need can_network() although so far none of my tests have had it use any TCP/IP functionality.
selinux@lists.fedoraproject.org