Need suitable target context for writes by netutils_t source context
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 16 19:21:20 UTC 2010
On 03/16/2010 12:51 PM, Robert Nichols wrote:
> On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
>
>> On 03/16/2010 11:44 AM, Robert Nichols wrote:
>>
>>> Where can netutils_t write? I have ifup_local starting a tcpdump process
>>> that needs to create and write files. Using 'sesearch' I thought I found
>>> that netutils_t would be a suitable target context, but now my supposedly
>>> unconfined root shell cannot manage files there (write/link/chcon/...).
>>>
>>>
>>>
>> netutils_t is a process context not a file context.
>>
>>
>> # sesearch -A -s netutils_t -c file -p write
>> Found 4 semantic av rules:
>> allow domain afs_cache_t : file { read write } ;
>> allow netutils_t netutils_t : file { ioctl read write getattr lock
>> append open } ;
>> allow netutils_t logfile : file { ioctl read write getattr lock
>> append open } ;
>> allow netutils_t netutils_tmp_t : file { ioctl read write create
>> getattr setattr lock append unlink link rename open } ;
>>
>> Looks like netutils_tmp_t is your best option.
>>
> OK. Thanks, Dan.
>
> I guess I just have no clue what that second "allow" line, above, means.
>
>
The sesearch command above says show me all allow rules (-A) with a
source context type of netutils_t
for a class of file with the permissions write. Meaning show me all the
file types that netutils_t can write to.
A better solution might have been to pipe the command to grep for open.
The output indicates to the trained eye, that netutils can open and
write logfiles, netutils_tmp_t and to /proc files with the same label.
logfiles is an attribute given to all files types usually in /var/log.
> Should I report it as a bug that system-config-selinux.py allowed me to
> set netutils_t as a file context?
>
>
Sure, it probably should check.
More information about the selinux
mailing list