On Thu, Feb 14, 2013 at 10:34 PM, Saurabh Sharma <[email protected]>wrote:
> Hello William, > > I was clear on this part but in my case when i am trying to connect to > a server socket i get write permission denial. Hence my assumption is when > rule has only connectto permission it should allow connect with the peer. > > Getting the denial for write permission is letting me think that > connectto only will not work without write permission in the rule. > > Awaiting for the reply. > > Regards, > > Saurabh > > Assuming you have straced the code in question and verified their is no > write syscall being invoked, I would imagine part of the protocol on > setting up the connection may require a write on the socket fd that was > passed to it. > > > > > > > > ------- *Original Message* ------- > > *Sender* : William Roberts<[email protected]> > > *Date* : Feb 14, 2013 22:20 (GMT+09:00) > > *Title* : Re: Connectto permission error > > > On Thu, Feb 14, 2013 at 8:13 PM, Saurabh Sharma **wrote: > > Hello, > > For connectto permission using unix_stream_socket, the system throws > write avc denial is on sock_file > > e.g > > allow abcd xyz:unix_stream_socket connectto; > > > > connect function call throws > > avc: denied { write } for pid=12345 scontext=u:r:abcd:s0 > tcontext=u:object_r:xyz:s0 tclass=sock_file > > > > Does connect call in socket opens a file for writing ? > > If its so, is connectto rule is dependent on write permission in case of > socket ? > > What am i missing here ? > > Note: pid, source context and target context are taken only for example > reference. > > Regards, > > Saurabh Sharma > > > > Saurabh, > > connectto and write are 2 separate permissions. connectto lets you > connect to a server socket, write, lets you write an fd of that type > and class. Typically a client program connects to a server and then > reads and writes data. > > If you are facing a specific denial we could help you. > > I wasn't quite clear on your question, hopefully this answers it or > makes it more clear. > > -- > Respectfully, > > William C Roberts > > > > -- Respectfully, William C Roberts
<<201302142234555_QKNMBDIF.gif>>
