10:44 a.m.
Where can netutils_t write? I have ifup_local starting a tcpdump process
that needs to create and write files. Using 'sesearch' I thought I found
that netutils_t would be a suitable target context, but now my supposedly
unconfined root shell cannot manage files there (write/link/chcon/...).
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
11:22 a.m.
On 03/16/2010 11:44 AM, Robert Nichols wrote:
Where can netutils_t write? I have ifup_local starting a tcpdump
process
that needs to create and write files. Using 'sesearch' I thought I found
that netutils_t would be a suitable target context, but now my supposedly
unconfined root shell cannot manage files there (write/link/chcon/...).
netutils_t is a process context not a file context.
# sesearch -A -s netutils_t -c file -p write
Found 4 semantic av rules:
allow domain afs_cache_t : file { read write } ;
allow netutils_t netutils_t : file { ioctl read write getattr lock
append open } ;
allow netutils_t logfile : file { ioctl read write getattr lock
append open } ;
allow netutils_t netutils_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
Looks like netutils_tmp_t is your best option.
11:51 a.m.
On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
On 03/16/2010 11:44 AM, Robert Nichols wrote:
> Where can netutils_t write? I have ifup_local starting a tcpdump process
> that needs to create and write files. Using 'sesearch' I thought I found
> that netutils_t would be a suitable target context, but now my supposedly
> unconfined root shell cannot manage files there (write/link/chcon/...).
>
>
netutils_t is a process context not a file context.
# sesearch -A -s netutils_t -c file -p write
Found 4 semantic av rules:
allow domain afs_cache_t : file { read write } ;
allow netutils_t netutils_t : file { ioctl read write getattr lock
append open } ;
allow netutils_t logfile : file { ioctl read write getattr lock
append open } ;
allow netutils_t netutils_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
Looks like netutils_tmp_t is your best option.
OK. Thanks, Dan.
I guess I just have no clue what that second "allow" line, above, means.
Should I report it as a bug that system-config-selinux.py allowed me to
set netutils_t as a file context?
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
2:21 p.m.
On 03/16/2010 12:51 PM, Robert Nichols wrote:
On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
> On 03/16/2010 11:44 AM, Robert Nichols wrote:
>
>> Where can netutils_t write? I have ifup_local starting a tcpdump process
>> that needs to create and write files. Using 'sesearch' I thought I
found
>> that netutils_t would be a suitable target context, but now my supposedly
>> unconfined root shell cannot manage files there (write/link/chcon/...).
>>
>>
>>
> netutils_t is a process context not a file context.
>
>
> # sesearch -A -s netutils_t -c file -p write
> Found 4 semantic av rules:
> allow domain afs_cache_t : file { read write } ;
> allow netutils_t netutils_t : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t logfile : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t netutils_tmp_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>
> Looks like netutils_tmp_t is your best option.
>
OK. Thanks, Dan.
I guess I just have no clue what that second "allow" line, above, means.
The sesearch command above says show me all allow rules (-A) with a
source context type of netutils_t
for a class of file with the permissions write. Meaning show me all the
file types that netutils_t can write to.
A better solution might have been to pipe the command to grep for open.
The output indicates to the trained eye, that netutils can open and
write logfiles, netutils_tmp_t and to /proc files with the same label.
logfiles is an attribute given to all files types usually in /var/log.
Should I report it as a bug that system-config-selinux.py allowed me
to
set netutils_t as a file context?
Sure, it probably should check.
5163
days inactive
5163
days old
selinux@lists.fedoraproject.org
3 comments
2 participants
participants (2)
-
Daniel J Walsh -
Robert Nichols