Need suitable target context for writes by netutils_t source context
Robert Nichols
rnicholsNOSPAM at comcast.net
Tue Mar 16 16:51:47 UTC 2010
On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
> On 03/16/2010 11:44 AM, Robert Nichols wrote:
>> Where can netutils_t write? I have ifup_local starting a tcpdump process
>> that needs to create and write files. Using 'sesearch' I thought I found
>> that netutils_t would be a suitable target context, but now my supposedly
>> unconfined root shell cannot manage files there (write/link/chcon/...).
>>
>>
> netutils_t is a process context not a file context.
>
>
> # sesearch -A -s netutils_t -c file -p write
> Found 4 semantic av rules:
> allow domain afs_cache_t : file { read write } ;
> allow netutils_t netutils_t : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t logfile : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t netutils_tmp_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>
> Looks like netutils_tmp_t is your best option.
OK. Thanks, Dan.
I guess I just have no clue what that second "allow" line, above, means.
Should I report it as a bug that system-config-selinux.py allowed me to
set netutils_t as a file context?
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the selinux
mailing list