On 1/3/06, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
> > ping XYZ | cat > /home/dwalsh/myping
>
> It's actually the shell that opens the file for input or output
> redirection, so apparently SELinux is denying a write to a file
> that is already open for writing. Curious.
SELinux rechecks access to open file descriptors when they are inherited
across execve (if the security context of the process is changing, e.g.
due to a domain transition, as in this case) and when they are
transferred via local IPC. That is necessary to control the propagation
of access rights in the system, required for mandatory access control.
SELinux also rechecks access upon use (e.g. read(2) and write(2)) when
possible to support limited revocation upon policy changes and object
relabels, but revocation is difficult to support completely.
Would it be inappropriate add a compile time flag to bash to cause
such redirection to always bounce through the shell? Obviously there
would be a performance hit... but the mysterious failure is probably
worse...