Summary: | net-analyzer/tcpdump wants access to debugfs_t | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Eric Gisse <jowr.pi> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r7 | ||
Package list: | Runtime testing required: | --- |
Description
Eric Gisse
2015-01-08 07:27:56 UTC
Is there a particular tcpdump command that you were doing? I tried here but a "standard" tcpdump -i <iface> does not give that denial here. I missed your "if I am nonspecific" paragraph. Another denial I get then is: time->Sun Jun 7 10:52:50 2015 type=AVC msg=audit(1433667170.527:83): avc: denied { read } for pid=17708 comm="tcpdump" name="usbmon4" dev="devtmpfs" ino=163 scontext=staff_u:sysadm_r:netutils_t:s0 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=0 I'm going to dontaudit both of these for now Another set of permissions coming up (now on unstable) due to capabilities being used: 22: kernel_request_load_module(netutils_t) # request nfnetlink-subsys-3 (queue) 23: allow netutils_t self:process getcap; # check capabilities 24: allow netutils_t self:capability setpcap; # set capability Committed to our repo, will be part of r7 r7 is now ~arch r7 is stable |