Bug 120271

Summary: tcpdump -w ... doesn't work in enforcing mode
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, leonard-rh-bugzilla, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: triage|leonardjo|closed|notabug
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-11 08:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Waugh 2004-04-07 14:54:58 UTC 
Description of problem:
tcpdump is prohibited from writing files, and so the -w option doesn't
work.

Version-Release number of selected component (if applicable):
tcpdump-3.8.2-3
policy-1.10.1-2

How reproducible:
100%

Steps to Reproduce:
1. setenforce 1
2. tcpdump -w file
  
Actual results:
For a file in /root, for instance:

audit(1081349723.141:0): avc:  denied  { search } for  pid=30353
exe=/usr/sbin/tcpdump name=root dev=hda2 ino=3817473
scontext=root:sysadm_r:netutils_t
tcontext=root:object_r:staff_home_dir_t tclass=dir

For a /tmp file:
audit(1081349706.640:0): avc:  denied  { search } for  pid=30350
exe=/usr/sbin/tcpdump name=tmp dev=hda2 ino=4538369
scontext=root:sysadm_r:netutils_t tcontext=system_u:object_r:tmp_t
tclass=dir

etc.
Comment 1 Tim Waugh 2004-04-07 15:12:53 UTC 
(Requires policy change.)
Comment 2 Stephen Smalley 2004-04-08 12:11:49 UTC 
Requires macro-izing the domain and instantiating it for each
user domain, e.g. $1_netutils_t, so that you can then allow it
access to the appropriate set of types for that user domain, e.g.
$1_tmp_t, $1_home_t, etc.  Note that you will still need a base domain
for use by initrc that won't have such accesses.
Comment 3 Harald Hoyer 2004-04-21 13:54:17 UTC 
reassigned to policy
Comment 4 Daniel Walsh 2004-04-22 19:09:33 UTC 
Allowing tcpdump to write to /tmp/, you need to run tcpdump as
sysadm_r in the current policy, so no reason to allow it to run as
Comment 5 Leonard den Ottolander 2004-05-11 08:50:11 UTC 
Iiuc this is intended behaviour. Closing NOTABUG.