Re: with extended_socket_class should be still be seeing "socket"?

Stephen Smalley Tue, 12 Sep 2017 10:12:06 -0700

On Sep 12, 2017 7:01 AM, "Dominick Grift" <dac.overr...@gmail.com> wrote:


I have extended socket class polcap enabled but i am still seeing "socket"
class events and i was wondering whether that is to be expected?

avc:  denied  { create } for  pid=10484 comm="nethogs" scontext=wheel.id:
sysadm.role:nethogs.subj:s0 tcontext=wheel.id:sysadm.role:nethogs.subj:s0
tclass=socket permissive=0

This seems to be common to processes that also create (and map! [1])
"packet_socket" sockets (tcpdump/nethogs)

[1] avc:  denied  { map } for  pid=10525 comm="nethogs"
path="socket:[56040]" dev="sockfs" ino=56040
scontext=wheel.id:sysadm.role:nethogs.subj:s0
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=packet_socket
permissive=0


No, that is not expected. Can you enable sys call audit and get those
records?


--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Re: with extended_socket_class should be still be seeing "socket"?

Reply via email to