Curious Behavior doing routine redirection of ping output to file...

Richard Hally rhally at mindspring.com
Wed Dec 21 05:38:17 UTC 2005 

selinux.funchords at spameater.org wrote:
> I'm not exactly a "newbie," but I'm diving a lot deeper than
> I ever have. This one has me a little wrapped around the axel, and
> if someone could help clear the fog, I'd appreciate it.
> 
> The short version:
> I'm trying to redirect the output of ping to a file.   I get a 0
> byte file as a result.
> 
> Where I am now:
> When selinux is permissive, it works as I expect it to.
> 
> When this started, I had no idea that selinux was running or even what
> it was, exactly (I've been running this system for about two weeks). 
> I've learned a lot since then.  But I haven't figured out how to do
> anything other than flip bits on existing boolean rules and change
> the sestatus mode.  For example, how do I fix the above problem?
> 
> Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced.
> 
> When this began, I posted a message to www.fedoraforum.org
> ( http://www.fedoraforum.org/forum/showthread.php?t=88238 )
> with the title, "BASH: How to redirect ping output to file?"
> 
> Later, I found this from from /var/log/audit/audit.log ...
> type=AVC msg=audit(1134599953.748:32): avc:  denied  { write } for  
> pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895 
> scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t 
> tclass=file
> type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11 
> success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2 
> pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 comm="ping" exe="/bin/ping"
> type=AVC_PATH msg=audit(1134599953.748:32):  path="/root/pingoutput2"
> type=CWD msg=audit(1134599953.748:32):  cwd="/root"
> type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping" 
> flags=101  inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1134599953.748:32): item=1 flags=101  inode=5892482 
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> 
> ... and I discovered the commands audit2why and audit2allow, which has
> this example in the audit2allow man pages ...
> 
>  $ cd /etc/selinux/$(SELINUXTYPE)/src/policy
>  $ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> 
> domains/misc/local.te <review domains/misc/local.te and customize as 
> desired>
>  $ make load
> 
> ... and that's where my zero-byte stack blows.
> 
> I have no src directory under /etc/selinux/targeted, nor do I have
> anything at all on my system named domains.  Still, I tried to follow
> the advice by mdkir'ing the necessary directories and creating a
> local.te file with the recommended "allow ping_t user_home_t:file write;"
> line in it.
> Then I typed 'make load' and I really think I actually heard something
> laugh at me.
> This is the way I learn best, and this isn't anything more than a
> curiousity to me.  But from what I've told you so far, can you point
> me into the right direction?
> 
> I did search the archive for this list, as well as the FC3 (which
> also seemed to point to these directories that I don't have).
> 
> Thanks!
> 
> Robb Topolski
> robb(at)funchords(dot)com
> http://www.funchords.com
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
Looks like you need to download the corresponding source for the policy 
you are running e.g. selinux-policy-targeted-source for that audit2allow 
and make load to work.

More information about the selinux mailing list