Curious Behavior doing routine redirection of ping output to file...
Richard Hally
rhally at mindspring.com
Wed Dec 21 05:38:17 UTC 2005
selinux.funchords at spameater.org wrote:
> I'm not exactly a "newbie," but I'm diving a lot deeper than
> I ever have. This one has me a little wrapped around the axel, and
> if someone could help clear the fog, I'd appreciate it.
>
> The short version:
> I'm trying to redirect the output of ping to a file. I get a 0
> byte file as a result.
>
> Where I am now:
> When selinux is permissive, it works as I expect it to.
>
> When this started, I had no idea that selinux was running or even what
> it was, exactly (I've been running this system for about two weeks).
> I've learned a lot since then. But I haven't figured out how to do
> anything other than flip bits on existing boolean rules and change
> the sestatus mode. For example, how do I fix the above problem?
>
> Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced.
>
> When this began, I posted a message to www.fedoraforum.org
> ( http://www.fedoraforum.org/forum/showthread.php?t=88238 )
> with the title, "BASH: How to redirect ping output to file?"
>
> Later, I found this from from /var/log/audit/audit.log ...
> type=AVC msg=audit(1134599953.748:32): avc: denied { write } for
> pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895
> scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t
> tclass=file
> type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11
> success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2
> pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 comm="ping" exe="/bin/ping"
> type=AVC_PATH msg=audit(1134599953.748:32): path="/root/pingoutput2"
> type=CWD msg=audit(1134599953.748:32): cwd="/root"
> type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping"
> flags=101 inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1134599953.748:32): item=1 flags=101 inode=5892482
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
>
> ... and I discovered the commands audit2why and audit2allow, which has
> this example in the audit2allow man pages ...
>
> $ cd /etc/selinux/$(SELINUXTYPE)/src/policy
> $ /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
> domains/misc/local.te <review domains/misc/local.te and customize as
> desired>
> $ make load
>
> ... and that's where my zero-byte stack blows.
>
> I have no src directory under /etc/selinux/targeted, nor do I have
> anything at all on my system named domains. Still, I tried to follow
> the advice by mdkir'ing the necessary directories and creating a
> local.te file with the recommended "allow ping_t user_home_t:file write;"
> line in it.
> Then I typed 'make load' and I really think I actually heard something
> laugh at me.
> This is the way I learn best, and this isn't anything more than a
> curiousity to me. But from what I've told you so far, can you point
> me into the right direction?
>
> I did search the archive for this list, as well as the FC3 (which
> also seemed to point to these directories that I don't have).
>
> Thanks!
>
> Robb Topolski
> robb(at)funchords(dot)com
> http://www.funchords.com
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Looks like you need to download the corresponding source for the policy
you are running e.g. selinux-policy-targeted-source for that audit2allow
and make load to work.
More information about the selinux
mailing list