FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-16-2010, 03:22 PM
Daniel J Walsh
 
Default Need suitable target context for writes by netutils_t source context

On 03/16/2010 11:44 AM, Robert Nichols wrote:
> Where can netutils_t write? I have ifup_local starting a tcpdump process
> that needs to create and write files. Using 'sesearch' I thought I found
> that netutils_t would be a suitable target context, but now my supposedly
> unconfined root shell cannot manage files there (write/link/chcon/...).
>
>
netutils_t is a process context not a file context.


# sesearch -A -s netutils_t -c file -p write
Found 4 semantic av rules:
allow domain afs_cache_t : file { read write } ;
allow netutils_t netutils_t : file { ioctl read write getattr lock
append open } ;
allow netutils_t logfile : file { ioctl read write getattr lock
append open } ;
allow netutils_t netutils_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;

Looks like netutils_tmp_t is your best option.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-16-2010, 03:51 PM
Robert Nichols
 
Default Need suitable target context for writes by netutils_t source context

On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
> On 03/16/2010 11:44 AM, Robert Nichols wrote:
>> Where can netutils_t write? I have ifup_local starting a tcpdump process
>> that needs to create and write files. Using 'sesearch' I thought I found
>> that netutils_t would be a suitable target context, but now my supposedly
>> unconfined root shell cannot manage files there (write/link/chcon/...).
>>
>>
> netutils_t is a process context not a file context.
>
>
> # sesearch -A -s netutils_t -c file -p write
> Found 4 semantic av rules:
> allow domain afs_cache_t : file { read write } ;
> allow netutils_t netutils_t : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t logfile : file { ioctl read write getattr lock
> append open } ;
> allow netutils_t netutils_tmp_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
>
> Looks like netutils_tmp_t is your best option.

OK. Thanks, Dan.

I guess I just have no clue what that second "allow" line, above, means.

Should I report it as a bug that system-config-selinux.py allowed me to
set netutils_t as a file context?

--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-16-2010, 06:21 PM
Daniel J Walsh
 
Default Need suitable target context for writes by netutils_t source context

On 03/16/2010 12:51 PM, Robert Nichols wrote:
> On 03/16/2010 11:22 AM, Daniel J Walsh wrote:
>
>> On 03/16/2010 11:44 AM, Robert Nichols wrote:
>>
>>> Where can netutils_t write? I have ifup_local starting a tcpdump process
>>> that needs to create and write files. Using 'sesearch' I thought I found
>>> that netutils_t would be a suitable target context, but now my supposedly
>>> unconfined root shell cannot manage files there (write/link/chcon/...).
>>>
>>>
>>>
>> netutils_t is a process context not a file context.
>>
>>
>> # sesearch -A -s netutils_t -c file -p write
>> Found 4 semantic av rules:
>> allow domain afs_cache_t : file { read write } ;
>> allow netutils_t netutils_t : file { ioctl read write getattr lock
>> append open } ;
>> allow netutils_t logfile : file { ioctl read write getattr lock
>> append open } ;
>> allow netutils_t netutils_tmp_t : file { ioctl read write create
>> getattr setattr lock append unlink link rename open } ;
>>
>> Looks like netutils_tmp_t is your best option.
>>
> OK. Thanks, Dan.
>
> I guess I just have no clue what that second "allow" line, above, means.
>
>
The sesearch command above says show me all allow rules (-A) with a
source context type of netutils_t
for a class of file with the permissions write. Meaning show me all the
file types that netutils_t can write to.

A better solution might have been to pipe the command to grep for open.

The output indicates to the trained eye, that netutils can open and
write logfiles, netutils_tmp_t and to /proc files with the same label.
logfiles is an attribute given to all files types usually in /var/log.
> Should I report it as a bug that system-config-selinux.py allowed me to
> set netutils_t as a file context?
>
>
Sure, it probably should check.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org