Bug 662962 - traceroute_t cannot write to tmp_t
Summary: traceroute_t cannot write to tmp_t
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.6
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-14 09:34 UTC by Karel Srot
Modified: 2011-02-10 08:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-10 08:14:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Karel Srot 2010-12-14 09:34:46 UTC 
Description of problem:

Tools such as traceroute or nmap do have context traceroute_exec_t. 
traceroute_t is not allowed to read from/write to files with tmp_t context, also access directories with such context. Therefore I am e.g. unable to use nmap in the script and redirect the output into /tmp directory (I have to manually change the context of the output file e.g. to tmpfs_t prior the nmap execution).
Not sure whether this is intentional but this is allowed on RHEL6.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279
selinux-policy-2.4.6-300

Additional info:

On RHEL5:
# sesearch -s traceroute_t -c file -p write --allow
Found 3 av rules:
   allow traceroute_t traceroute_t : file { ioctl read write getattr lock append }; 
   allow traceroute_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow traceroute_t tmpfs_t : file { ioctl read write getattr lock append }; 

On RHEL6:
$ sesearch -s traceroute_t -t tmp_t -c file  --allow
Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
$ sesearch -s traceroute_t -t tmp_t -c dir  --allow
Found 1 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ;
Comment 1 Miroslav Grepl 2010-12-14 12:15:31 UTC 
Are tools started from init script?



But strange is where the first rule comes from it. I am not seeing it in Fedora13 which has the same policy as the latest RHEL6 policy.

I mean

Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
Comment 2 Miroslav Grepl 2010-12-14 12:47:58 UTC 
(In reply to comment #1)
> Are tools started from init script?
> 

If you run it in RHTS, you will need to add to your test script

traceroute localhost | cat > /tmp/testroute
Comment 3 Miroslav Grepl 2010-12-14 13:40:51 UTC 
Ok, I have found a culprit.

# rpm -qa --scripts | grep semodule
semodule -b base.pp.bz2 -i $packages -s targeted; 
   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip 2>/dev/null
semodule -b base.pp.bz2 -i $packages -s targeted; 
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :
semodule -r rhts 2>/dev/null || :
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :

# rpm -qf /usr/share/selinux/packages/rhts/rhts.pp
rhts-test-env-4.26-1.el6.noarch


I am really interested what I will see in this policy.
Comment 4 Daniel Walsh 2010-12-14 13:56:56 UTC 
Yes the test policy allows tools to write to tmp_t.  If you remove this policy traceroute_t would fail the write.
Note You need to log in before you can comment on or make changes to this bug.