Bug 120271 - tcpdump -w ... doesn't work in enforcing mode
tcpdump -w ... doesn't work in enforcing mode
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2004-04-07 10:54 EDT by Tim Waugh
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-05-11 04:50:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tim Waugh 2004-04-07 10:54:58 EDT
Description of problem:
tcpdump is prohibited from writing files, and so the -w option doesn't

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. setenforce 1
2. tcpdump -w file
Actual results:
For a file in /root, for instance:

audit(1081349723.141:0): avc:  denied  { search } for  pid=30353
exe=/usr/sbin/tcpdump name=root dev=hda2 ino=3817473
tcontext=root:object_r:staff_home_dir_t tclass=dir

For a /tmp file:
audit(1081349706.640:0): avc:  denied  { search } for  pid=30350
exe=/usr/sbin/tcpdump name=tmp dev=hda2 ino=4538369
scontext=root:sysadm_r:netutils_t tcontext=system_u:object_r:tmp_t

Comment 1 Tim Waugh 2004-04-07 11:12:53 EDT
(Requires policy change.)
Comment 2 Stephen Smalley 2004-04-08 08:11:49 EDT
Requires macro-izing the domain and instantiating it for each
user domain, e.g. $1_netutils_t, so that you can then allow it
access to the appropriate set of types for that user domain, e.g.
$1_tmp_t, $1_home_t, etc.  Note that you will still need a base domain
for use by initrc that won't have such accesses.
Comment 3 Harald Hoyer 2004-04-21 09:54:17 EDT
reassigned to policy
Comment 4 Daniel Walsh 2004-04-22 15:09:33 EDT
Allowing tcpdump to write to /tmp/, you need to run tcpdump as
sysadm_r in the current policy, so no reason to allow it to run as 
Comment 5 Leonard den Ottolander 2004-05-11 04:50:11 EDT
Iiuc this is intended behaviour. Closing NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.