The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t tclass=node audit(1079689115.057:0): avc: denied { recv_msg } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
On Fri, 19 Mar 2004 20:47, Aleksey Nogin aleksey@nogin.org wrote:
The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif
can_network(hotplug_t) The above rule solved all that. I'm not sure that's what we desire though. Maybe the program that calls /sbin/route should be running in a different domain? How is this wavelan stuff setup? Why is it different from an ethernet device?
On 19.03.2004 02:23, Russell Coker wrote:
The above rule solved all that. I'm not sure that's what we desire though. Maybe the program that calls /sbin/route should be running in a different domain? How is this wavelan stuff setup? Why is it different from an ethernet device?
It'd not set up any different - it is a built-in PCMCIA card that is set up to use DHCP for everything. I would imagine that the /sbin/route is called by the ifup script.
Aleksey Nogin wrote:
The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t tclass=node audit(1079689115.057:0): avc: denied { recv_msg } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket Aleksey Nogin wrote:
The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t tclass=node audit(1079689115.057:0): avc: denied { recv_msg } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
Updated policy to handle all your avc messages, not sure what to do with the last ones though.
On Fri, 2004-03-19 at 07:46, Daniel J Walsh wrote:
Aleksey Nogin wrote:
The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t tclass=node audit(1079689115.057:0): avc: denied { recv_msg } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket Aleksey Nogin wrote:
The list is now much smaller than it used to be. I see:
audit(1079689114.447:0): avc: denied { read } for pid=1615 exe=/sbin/route name=resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689114.448:0): avc: denied { getattr } for pid=1615 exe=/sbin/route path=/etc/resolv.conf dev=hda2 ino=229950 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:net_conf_t tclass=file audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:netif_t tclass=netif audit(1079689115.057:0): avc: denied { udp_recv } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:node_t tclass=node audit(1079689115.057:0): avc: denied { recv_msg } for saddr=131.215.9.49 src=53 daddr=192.168.1.100 dest=32771 netif=wvlan0 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
Updated policy to handle all your avc messages, not sure what to do with the last ones though.
Should /sbin/route run in netutils_t (in general, both from hotplug_t and from sysadm_t)?
In any event, hotplug_t is likely a candidate for unconfined_domain() in the limited policy, as is insmod_t.
selinux@lists.fedoraproject.org