[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: [PATCH 1/1] Allow release_app getattr of netlink_selinux sockets
From:       Stephen Smalley <sds () tycho ! nsa ! gov>
Date:       2012-07-31 13:46:46
Message-ID: 1343742406.13704.7.camel () moss-pluto ! epoch ! ncsc ! mil
[Download RAW message or body]

On Mon, 2012-07-30 at 14:18 -0700, Haiqing Jiang wrote:
> ---
>  app.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

I think the right fix is to instead close the NETLINK_SELINUX socket in
the child process.  I've made this change to libselinux.  Can you
re-test with the new libselinux and see if the permission is still
required by the test?

> 
> diff --git a/app.te b/app.te
> index 139652f..4e002bf 100644
> --- a/app.te
> +++ b/app.te
> @@ -63,6 +63,8 @@ net_domain(release_app)
>  bluetooth_domain(release_app)
>  # Read logs.
>  allow release_app log_device:chr_file read;
> +# Use netlink_selinux socket
> +allow release_app zygote:netlink_selinux_socket getattr;
>  
>  #
>  # An example of a specific domain for a specific app

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]