Bug 138767 - SELinux FAQ - why is there no output from certain daemons run in debug or interactive mode?
SELinux FAQ - why is there no output from certain daemons run in debug or int...
Status: CLOSED CURRENTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://fedora.redhat.com/docs/selinux...
:
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2004-11-10 20:09 EST by Karsten Wade
Modified: 2007-04-18 13:14 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-31 13:40:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karsten Wade 2004-11-10 20:09:51 EST
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

(from dwalsh)

How come I run certain daemons in debug mode or interactive mode I see 
no output?

SELinux turns off access to the tty devices in order to stop daemons 
from communicating back with the controlling terminal.  This is a 
potential security hole, in that applications could insert commands into 
the controlling terminal and cause havoc.

One mechanism to see the output is to pipe the output to the cat command.

snmpd -v | cat

If you are debugging an application you might want to turn off 
transitioning to the daemon, you can do this using s-c-sl.

Or you can turn off enforcing mode via setenforce 0.


Version-Release of FAQ 

  selinux-faq-1.3-3 (2004-11-09-T04:20-0800)
Comment 1 Karsten Wade 2004-12-31 13:40:34 EST
Included in 1.3-5.

## begin Q/A addition to FAQ

Q:  Why do I not see the output when I run certain daemons in debug or
interactive mode?

A:  SELinux intentionally disables access to the tty devices to stop daemons
from communicating back with the controlling terminal. This communication is a
potential security hole because such daemons could insert commands into the
controlling terminal. A broken or compromised program could cause serious
problems with this.

There are a few ways you can capture STDOUT from daemons. One method is to pipe
the output to the cat command.

snmpd -v | cat

When debugging a daemon, you may want to turn of the transitioning of the daemon
to its specific domain. You can do this using system-config-securitylevel or
setsebool on the command line.

A final option is to turn off enforcing mode while debugging. You can do this
with setenforce 0, using setenforce 1 to reenable SELinux when you are finished
debugging. 

## 30 ##

Note You need to log in before you can comment on or make changes to this bug.