userdomain: allow netlink_kobject_uvent_socket creation

Not auditing this turns out to be the wrong choice for
several reasons.

For normal application functioning the user domain
should be able to create netlink_kobject_uvent_socket
sockets.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
This commit is contained in:
Guido Trentalancia 2017-06-21 17:28:35 +02:00 committed by Chris PeBenito
parent 794ed7efd0
commit ff8675f1c8

View File

@ -530,8 +530,8 @@ template(`userdom_common_user_template',`
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
# gnome-settings-daemon tries to create a netlink socket
dontaudit $1_t self:netlink_kobject_uevent_socket create_socket_perms;
# gnome-settings-daemon and some applications create a netlink socket
allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_t unpriv_userdomain:fd use;