I have extended socket class polcap enabled but i am still seeing "socket" class events and i was wondering whether that is to be expected?
avc: denied { create } for pid=10484 comm="nethogs"
scontext=wheel.id:sysadm.role:nethogs.subj:s0
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=socket permissive=0
This seems to be common to processes that also create (and map! [1])
"packet_socket" sockets (tcpdump/nethogs)
[1] avc: denied { map } for pid=10525 comm="nethogs" path="socket:[56040]"
dev="sockfs" ino=56040 scontext=wheel.id:sysadm.role:nethogs.subj:s0
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=packet_socket permissive=0
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
signature.asc
Description: PGP signature
