Bug 442181
Summary: | AVC denial when redirecting X server output to a file | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill Crawford <billcrawford1970> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-06 21:12:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bill Crawford
2008-04-12 14:37:37 UTC
This is a know issue which we don't have a good solution to, until we update the kernel with open perms. You might be able to get this to work by executing mv -f X.log X.log.old ; startx -- -accessx | cat >&X.log Or if you change the context of x.log to xserver_log_t touch X.log chcon -t xserver_log_t X.log Yeah, I realise it's a bit of ... can of worms. The latter solution (changing the context) looks good. If only there were some way of having that done automatically .... I take this is but one example of the clash between the "do what you need to do and drop privilages" paradigm and the SELinux one ;o) I might just set the context and then *copy* the file ... There is a new feature coming where the kernel separates out the access of open versus just read/write. Currently we can not differentiate one process handing an open file descriptor for read/write from a process actually opening a file for read/write. So once we have this feature we can add boolean support to allow domains to read/write files in users homedir but never open them. This would allow your example where bash is actually opening the file as unconfined_t and then handing the open filedescriptor to xserver_t. |