RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,040 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

11 Commits

Author SHA1 Message Date
Nicolas Iooss d91d41b53a
ulogd: allow creating a netlink-netfilter socket 
This is used to get the packets logged by the firewall.

I experienced this on a Debian system which uses nftables rules with the
"log" keyword:

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tcla
    ss=netlink_netfilter_socket permissive=1

    type=AVC msg=audit(1565901103.154:327): avc:  denied  { read } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45
    success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1
    pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111
    egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd"
    exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null)

    type=PROCTITLE msg=audit(1565901103.154:327):
    proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964

    [ ... ]

    type=AVC msg=audit(1565901600.241:338): avc:  denied  { write } for
    pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:348): avc:  denied  { create } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:349): avc:  denied  { getattr } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

    type=AVC msg=audit(1565901600.257:350): avc:  denied  { bind } for
    pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
    permissive=1

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-17 15:53:32 +02:00
Chris PeBenito 3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito 09248fa0db Move modules to contrib submodule. 2011-09-09 10:10:03 -04:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito e6e42cd4c9 Module version bump for ulogd. 2010-11-19 11:39:51 -05:00
Chris PeBenito b9a562446d Move all ulogd networking into the mysql and postgres optionals. 2010-11-19 11:39:36 -05:00
Jeremy Solt a00839dcc1 ulogd patch from Dan Walsh 
"communicates with mysql and postgres via the network"
 2010-11-18 13:26:19 -05:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito 45515556d4 trunk: 10 patches from dan. 2009-06-12 19:44:10 +00:00
Chris PeBenito a5ef553c2d trunk: 5 modules from dan. 2009-04-20 19:03:15 +00:00