On Sep 12, 2017 7:01 AM, "Dominick Grift" <[email protected]> wrote:
I have extended socket class polcap enabled but i am still seeing "socket"
class events and i was wondering whether that is to be expected?
avc: denied { create } for pid=10484 comm="nethogs" scontext=wheel.id:
sysadm.role:nethogs.subj:s0 tcontext=wheel.id:sysadm.role:nethogs.subj:s0
tclass=socket permissive=0
This seems to be common to processes that also create (and map! [1])
"packet_socket" sockets (tcpdump/nethogs)
[1] avc: denied { map } for pid=10525 comm="nethogs"
path="socket:[56040]" dev="sockfs" ino=56040
scontext=wheel.id:sysadm.role:nethogs.subj:s0
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=packet_socket
permissive=0
No, that is not expected. Can you enable sys call audit and get those
records?
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
