On Aug 10, 2009, at 12:18 PM, Björn Giesler wrote:
Hi,
Am 10.08.2009 um 20:52 schrieb Damien Sorresso:
/usr/share/sandbox/mDNSResponder.sb
Thanks. That was it, indeed. Strangely, what I did was comment out (debug deny) and comment in (debug allow), then started mDNSResponder. That filled my log with all sorts of NET_OUTBOUND ALLOW messages, but the "Policy denied" messages were gone. So I restored the commenting, and now it works. I changed nothing else.
You're better off just leaving that file alone. Just file a bug against mDNSResponder, since it is attempting to access resources outside its sandbox.
Oh, I did change one more thing: mDNSResponder.sb has access bits rw- r--r-- now, was r--r--r--. But that can't have been it, can it? Surely sandbox doesn't need to write these config files?
It's owned by root. What's the point of taking away the write bit? -- Damien Sorresso BSD Engineering Apple Inc.