Bug 187958

Summary: SELinux blocks ping redirect to file
Product: [Fedora] Fedora Reporter: Matthew Saltzman <mjs>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:04:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Saltzman 2006-04-04 21:28:28 UTC
Description of problem:
SELinux prevents "ping ... > foo".  The file foo is created, but no lines are
written.  An AVC is generated:

kernel: audit(1144078487.621:723): avc:  denied  { ioctl } for  pid=22278
comm="ping" name="foo" dev=dm-0 ino=65693
scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.25-3.fc5

How reproducible:
Always

Steps to Reproduce:
1. ping www.redhat.com > foo
2. Wait a few secs.
3.
  
Actual results:
Described above.

Expected results:
Results of ping written to file

Additional info:
ping output to console works fine.  Redirect is blocked for root as well as
normal users.  "ping | cat > foo" is a  workaround.

Comment 1 Daniel Walsh 2006-04-05 12:40:10 UTC
Unconfined should not be transitioning to ping_t so this has been removed from
selinux-policy-targeted-2.2.29-3.fc5

Comment 3 Daniel Walsh 2006-05-05 15:04:55 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed