[launchd-dev] launchd & mDNSResponder: "Policy denied Mach service lookup"
Damien Sorresso
dsorresso at apple.com
Mon Aug 10 12:24:33 PDT 2009
On Aug 10, 2009, at 12:18 PM, Björn Giesler wrote:
> Hi,
>
> Am 10.08.2009 um 20:52 schrieb Damien Sorresso:
>> /usr/share/sandbox/mDNSResponder.sb
>
> Thanks. That was it, indeed. Strangely, what I did was comment out
> (debug deny) and comment in (debug allow), then started
> mDNSResponder. That filled my log with all sorts of NET_OUTBOUND
> ALLOW messages, but the "Policy denied" messages were gone. So I
> restored the commenting, and now it works. I changed nothing else.
You're better off just leaving that file alone. Just file a bug
against mDNSResponder, since it is attempting to access resources
outside its sandbox.
> Oh, I did change one more thing: mDNSResponder.sb has access bits rw-
> r--r-- now, was r--r--r--. But that can't have been it, can it?
> Surely sandbox doesn't need to write these config files?
It's owned by root. What's the point of taking away the write bit?
--
Damien Sorresso
BSD Engineering
Apple Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/launchd-dev/attachments/20090810/81c6600a/attachment-0001.bin>
More information about the launchd-dev
mailing list