HI
I have something in /var/log/audit/audit.log like:
avc: denied { write } for pid=23739 comm="httpd" name="renderd.sock"
dev=dm-0 ino=1183752 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
use audit2allow it generates something like this:
allow httpd_t var_run_t:sock_file write;
Is the rule too liberal? that means httpd_t can write any var_run_t 's
sock_file?
Or I miss-understand something?
Should it only allow httpd_t to write this specific render.sock file?
If so, what's the right way to do?
Thanks.
min
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f98c4ca.40...@gmail.com
