-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/16/2013 02:55 AM, Tim.Einmahl(a)kba.de wrote:
Hi,
I see this on Rhel6.4, selinux-policy-targeted-3.7.19-195.el6_4.12.
Regards Tim
The default their should be on, so I would recommend you turn the boolean back
on.
-----Ursprüngliche Nachricht----- Von: Daniel J Walsh
[mailto:dwalsh@redhat.com] Gesendet: Dienstag, 15. Oktober 2013 17:11 An:
Einmahl, Tim; selinux(a)lists.fedoraproject.org Betreff: Re:
allow_domain_fd_use
On 10/15/2013 03:48 AM, Tim.Einmahl(a)kba.de wrote:
> Hi,
> I would like to know, how much risk is there setting allow_domain_fd_use
> to 1?
> I am not totally sure about the security impact. Would that allow a
> process in one domain to read files and sockets that have been opened by
> a another domain?
> Usually, I disable it, but from time to time I get error messages like:
> - type=AVC msg=audit(1381801383.801:31585): avc: denied { use } for
> pid=25761 comm="mail" path="/dev/null" dev=devtmpfs ino=3656
> scontext=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd
> type=AVC msg=audit(1381801383.801:31585): avc: denied { use } for
> pid=25761 comm="mail" path="/dev/null" dev=devtmpfs ino=3656
> scontext=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd
> type=SYSCALL msg=audit(1381801383.801:31585): arch=x86_64 syscall=execve
> success=yes exit=0 a0=229fcd0 a1=229fd50 a2=229df90 a3=7fffb994eef0
> items=0 ppid=25741 pid=25761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=1677 comm=mail exe=/bin/mailx
> subj=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 key=(null)
> On a hypervisor, I have to allow it, otherwise I get millions of
> messages like
> type=SYSCALL msg=audit(1381823069.947:3240474): arch=c000003e syscall=0
> success=no exit=-13 a0=17 a1=7f9045c99ae4 a2=11000 a3=7fffa277af30
> items=0 ppid=1 pid=9616 auid=4294967295 uid=107 gid=107 euid=107 suid=107
> fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295
> comm="qemu-kvm"
> exe=2F7573722F6C6962657865632F71656D752D6B766D202864656C6574656429
> subj=system_u:system_r:svirt_t:s0:c559,c791 key=(null) type=AVC
> msg=audit(1381823069.947:3240474): avc: denied { use } for pid=9616
> comm="qemu-kvm" path="/dev/net/tun" dev=devtmpfs ino=9274
> scontext=system_u:system_r:svirt_t:s0:c559,c791
> tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fd
> Regards Tim
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
We usually have this on by default. What OS/Policy version are you seeing
this with?
This basically means that one process can open a UID and pass it to
another process either through a fork/exec or my fd passing.
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlJejccACgkQrlYvE4MpobOzowCgk/vlIO2W1X2eXVBGmKi9e82K
plYAnRMfP6YKBOm38MvGhZ2U4H6QlhZh
=y72d
-----END PGP SIGNATURE-----