This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
First Last Prev Next    This bug is not in your last search results.
Bug 662962 - traceroute_t cannot write to tmp_t
traceroute_t cannot write to tmp_t
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Karel Srot
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-14 04:34 EST by Karel Srot
Modified: 2011-02-10 03:14 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-10 03:14:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Karel Srot 2010-12-14 04:34:46 EST 
Description of problem:

Tools such as traceroute or nmap do have context traceroute_exec_t. 
traceroute_t is not allowed to read from/write to files with tmp_t context, also access directories with such context. Therefore I am e.g. unable to use nmap in the script and redirect the output into /tmp directory (I have to manually change the context of the output file e.g. to tmpfs_t prior the nmap execution).
Not sure whether this is intentional but this is allowed on RHEL6.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279
selinux-policy-2.4.6-300

Additional info:

On RHEL5:
# sesearch -s traceroute_t -c file -p write --allow
Found 3 av rules:
   allow traceroute_t traceroute_t : file { ioctl read write getattr lock append }; 
   allow traceroute_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow traceroute_t tmpfs_t : file { ioctl read write getattr lock append }; 

On RHEL6:
$ sesearch -s traceroute_t -t tmp_t -c file  --allow
Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
$ sesearch -s traceroute_t -t tmp_t -c dir  --allow
Found 1 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ;
Comment 1 Miroslav Grepl 2010-12-14 07:15:31 EST 
Are tools started from init script?



But strange is where the first rule comes from it. I am not seeing it in Fedora13 which has the same policy as the latest RHEL6 policy.

I mean

Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
Comment 2 Miroslav Grepl 2010-12-14 07:47:58 EST 
(In reply to comment #1)
> Are tools started from init script?
> 

If you run it in RHTS, you will need to add to your test script

traceroute localhost | cat > /tmp/testroute
Comment 3 Miroslav Grepl 2010-12-14 08:40:51 EST 
Ok, I have found a culprit.

# rpm -qa --scripts | grep semodule
semodule -b base.pp.bz2 -i $packages -s targeted; 
   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip 2>/dev/null
semodule -b base.pp.bz2 -i $packages -s targeted; 
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :
semodule -r rhts 2>/dev/null || :
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :

# rpm -qf /usr/share/selinux/packages/rhts/rhts.pp
rhts-test-env-4.26-1.el6.noarch


I am really interested what I will see in this policy.
Comment 4 Daniel Walsh 2010-12-14 08:56:56 EST 
Yes the test policy allows tools to write to tmp_t.  If you remove this policy traceroute_t would fail the write.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.