Bug 138767

Summary: SELinux FAQ - why is there no output from certain daemons run in debug or interactive mode?
Product: [Fedora] Fedora Documentation Reporter: Karsten Wade <kwade>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED CURRENTRELEASE QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: devel   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://fedora.redhat.com/docs/selinux-faq-fc3/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-31 18:40:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description Karsten Wade 2004-11-11 01:09:51 UTC
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

(from dwalsh)

How come I run certain daemons in debug mode or interactive mode I see 
no output?

SELinux turns off access to the tty devices in order to stop daemons 
from communicating back with the controlling terminal.  This is a 
potential security hole, in that applications could insert commands into 
the controlling terminal and cause havoc.

One mechanism to see the output is to pipe the output to the cat command.

snmpd -v | cat

If you are debugging an application you might want to turn off 
transitioning to the daemon, you can do this using s-c-sl.

Or you can turn off enforcing mode via setenforce 0.


Version-Release of FAQ 

  selinux-faq-1.3-3 (2004-11-09-T04:20-0800)

Comment 1 Karsten Wade 2004-12-31 18:40:34 UTC
Included in 1.3-5.

## begin Q/A addition to FAQ

Q:  Why do I not see the output when I run certain daemons in debug or
interactive mode?

A:  SELinux intentionally disables access to the tty devices to stop daemons
from communicating back with the controlling terminal. This communication is a
potential security hole because such daemons could insert commands into the
controlling terminal. A broken or compromised program could cause serious
problems with this.

There are a few ways you can capture STDOUT from daemons. One method is to pipe
the output to the cat command.

snmpd -v | cat

When debugging a daemon, you may want to turn of the transitioning of the daemon
to its specific domain. You can do this using system-config-securitylevel or
setsebool on the command line.

A final option is to turn off enforcing mode while debugging. You can do this
with setenforce 0, using setenforce 1 to reenable SELinux when you are finished
debugging. 

## 30 ##