On 03/16/2010 12:51 PM, Robert Nichols wrote:
On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
> On 03/16/2010 11:44 AM, Robert Nichols wrote:
>
>> Where can netutils_t write? I have ifup_local starting a tcpdump process
>> that needs to create and write files. Using 'sesearch' I thought I
found
>> that netutils_t would be a suitable target context, but now my supposedly
>> unconfined root shell cannot manage files there (write/link/chcon/...).
>>
>>
>>
> netutils_t is a process context not a file context.
>
>
> # sesearch -A -s netutils_t -c file -p write
> Found 4 semantic av rules:
> allow domain afs_cache_t : file { read write } ;
> allow netutils_t netutils_t : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t logfile : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t netutils_tmp_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>
> Looks like netutils_tmp_t is your best option.
>
OK. Thanks, Dan.
I guess I just have no clue what that second "allow" line, above, means.
The sesearch command above says show me all allow rules (-A) with a
source context type of netutils_t
for a class of file with the permissions write. Meaning show me all the
file types that netutils_t can write to.
A better solution might have been to pipe the command to grep for open.
The output indicates to the trained eye, that netutils can open and
write logfiles, netutils_tmp_t and to /proc files with the same label.
logfiles is an attribute given to all files types usually in /var/log.
Should I report it as a bug that system-config-selinux.py allowed me
to
set netutils_t as a file context?
Sure, it probably should check.