Bug 120271 - tcpdump -w ... doesn't work in enforcing mode
Summary: tcpdump -w ... doesn't work in enforcing mode
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: policy   
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard: triage|leonardjo|closed|notabug
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-07 14:54 UTC by Tim Waugh
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-11 08:50:11 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Tim Waugh 2004-04-07 14:54:58 UTC
Description of problem:
tcpdump is prohibited from writing files, and so the -w option doesn't
work.

Version-Release number of selected component (if applicable):
tcpdump-3.8.2-3
policy-1.10.1-2

How reproducible:
100%

Steps to Reproduce:
1. setenforce 1
2. tcpdump -w file
  
Actual results:
For a file in /root, for instance:

audit(1081349723.141:0): avc:  denied  { search } for  pid=30353
exe=/usr/sbin/tcpdump name=root dev=hda2 ino=3817473
scontext=root:sysadm_r:netutils_t
tcontext=root:object_r:staff_home_dir_t tclass=dir

For a /tmp file:
audit(1081349706.640:0): avc:  denied  { search } for  pid=30350
exe=/usr/sbin/tcpdump name=tmp dev=hda2 ino=4538369
scontext=root:sysadm_r:netutils_t tcontext=system_u:object_r:tmp_t
tclass=dir

etc.

Comment 1 Tim Waugh 2004-04-07 15:12:53 UTC
(Requires policy change.)

Comment 2 Stephen Smalley 2004-04-08 12:11:49 UTC
Requires macro-izing the domain and instantiating it for each
user domain, e.g. $1_netutils_t, so that you can then allow it
access to the appropriate set of types for that user domain, e.g.
$1_tmp_t, $1_home_t, etc.  Note that you will still need a base domain
for use by initrc that won't have such accesses.

Comment 3 Harald Hoyer 2004-04-21 13:54:17 UTC
reassigned to policy

Comment 4 Daniel Walsh 2004-04-22 19:09:33 UTC
Allowing tcpdump to write to /tmp/, you need to run tcpdump as
sysadm_r in the current policy, so no reason to allow it to run as 

Comment 5 Leonard den Ottolander 2004-05-11 08:50:11 UTC
Iiuc this is intended behaviour. Closing NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.