Re: with extended_socket_class should be still be seeing "socket"?

Dominick Grift Tue, 12 Sep 2017 10:53:58 -0700

On Tue, Sep 12, 2017 at 12:01:35PM -0400, Stephen Smalley wrote:
> On Sep 12, 2017 7:01 AM, "Dominick Grift" <[email protected]> wrote:
> 
> I have extended socket class polcap enabled but i am still seeing "socket"
> class events and i was wondering whether that is to be expected?
> 
> avc:  denied  { create } for  pid=10484 comm="nethogs" scontext=wheel.id:
> sysadm.role:nethogs.subj:s0 tcontext=wheel.id:sysadm.role:nethogs.subj:s0
> tclass=socket permissive=0
> 
> This seems to be common to processes that also create (and map! [1])
> "packet_socket" sockets (tcpdump/nethogs)
> 
> [1] avc:  denied  { map } for  pid=10525 comm="nethogs"
> path="socket:[56040]" dev="sockfs" ino=56040
> scontext=wheel.id:sysadm.role:nethogs.subj:s0
> tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=packet_socket
> permissive=0
> 
> 
> No, that is not expected. Can you enable sys call audit and get those
> records?


type=PROCTITLE msg=audit(09/12/2017 19:35:54.063:4458) : proctitle=nethogs 
enp8s0 
type=SYSCALL msg=audit(09/12/2017 19:35:54.063:4458) : arch=x86_64 
syscall=socket success=yes exit=5 a0=local a1=SOCK_RAW a2=ip a3=0xb4 items=0 
ppid=3251 pid=8963 auid=kcinimod uid=root gid=root euid=root suid=root 
fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=1 comm=nethogs 
exe=/usr/sbin/nethogs subj=wheel.id:sysadm.role:nethogs.subj:s0 key=(null) 
type=AVC msg=audit(09/12/2017 19:35:54.063:4458) : avc:  denied  { create } for 
 pid=8963 comm=nethogs scontext=wheel.id:sysadm.role:nethogs.subj:s0 
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=socket permissive=1

type=PROCTITLE msg=audit(09/12/2017 19:35:07.983:4457) : proctitle=nethogs 
enp8s0 
type=MMAP msg=audit(09/12/2017 19:35:07.983:4457) : fd=5 flags=MAP_SHARED 
type=SYSCALL msg=audit(09/12/2017 19:35:07.983:4457) : arch=x86_64 syscall=mmap 
success=yes exit=140169557827584 a0=0x0 a1=0x200000 a2=PROT_READ|PROT_WRITE 
a3=MAP_SHARED items=0 ppid=3251 pid=8907 auid=kcinimod uid=root gid=root 
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=1 
comm=nethogs exe=/usr/sbin/nethogs subj=wheel.id:sysadm.role:nethogs.subj:s0 
key=(null) 
type=AVC msg=audit(09/12/2017 19:35:07.983:4457) : avc:  denied  { map } for  
pid=8907 comm=nethogs path=socket:[103238] dev="sockfs" ino=103238 
scontext=wheel.id:sysadm.role:nethogs.subj:s0 
tcontext=wheel.id:sysadm.role:nethogs.subj:s0 tclass=packet_socket permissive=1

> 
> 
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

signature.asc
Description: PGP signature

Re: with extended_socket_class should be still be seeing "socket"?

Reply via email to