allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
After updating the the latest rawhide stuff I needed the above rule in sshd.te
to allow sshd to work correctly (unified diff attached). The first two
accesses (create and bind) are needed to allow sshd to work to the stage of
permitting logins. The last three to stop it spewing messages.
What is this self:netlink_audit_socket access? What is the appropriate access
for such things?
newrole has the same issue, the file newrole.diff applies to
newrole_macros.te. Even after applying that patch I get an error as follows:
[root@community ~]# newrole -r sysadm_r
Authenticating root.
Password:
Error sending status request (Operation not permitted)
[root@community ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root@community ~]#
I guess that this is in the new pam so local_login_t, xdm_t and other domains
will need similar changes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page