Bug 662962 – traceroute_t cannot write to tmp_t

Bug 662962 - traceroute_t cannot write to tmp_t

Summary:	traceroute_t cannot write to tmp_t

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	5.6
Hardware:	Unspecified Unspecified

Priority	low Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Karel Srot
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-12-14 04:34 EST by Karel Srot
Modified:	2011-02-10 03:14 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-02-10 03:14:41 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Karel Srot 2010-12-14 04:34:46 EST

Description of problem:

Tools such as traceroute or nmap do have context traceroute_exec_t. 
traceroute_t is not allowed to read from/write to files with tmp_t context, also access directories with such context. Therefore I am e.g. unable to use nmap in the script and redirect the output into /tmp directory (I have to manually change the context of the output file e.g. to tmpfs_t prior the nmap execution).
Not sure whether this is intentional but this is allowed on RHEL6.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279
selinux-policy-2.4.6-300

Additional info:

On RHEL5:
# sesearch -s traceroute_t -c file -p write --allow
Found 3 av rules:
   allow traceroute_t traceroute_t : file { ioctl read write getattr lock append }; 
   allow traceroute_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow traceroute_t tmpfs_t : file { ioctl read write getattr lock append }; 

On RHEL6:
$ sesearch -s traceroute_t -t tmp_t -c file  --allow
Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
$ sesearch -s traceroute_t -t tmp_t -c dir  --allow
Found 1 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ;

Comment 1 Miroslav Grepl 2010-12-14 07:15:31 EST

Are tools started from init script?



But strange is where the first rule comes from it. I am not seeing it in Fedora13 which has the same policy as the latest RHEL6 policy.

I mean

Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;

Comment 2 Miroslav Grepl 2010-12-14 07:47:58 EST

(In reply to comment #1)
> Are tools started from init script?
> 

If you run it in RHTS, you will need to add to your test script

traceroute localhost | cat > /tmp/testroute

Comment 3 Miroslav Grepl 2010-12-14 08:40:51 EST

Ok, I have found a culprit.

# rpm -qa --scripts | grep semodule
semodule -b base.pp.bz2 -i $packages -s targeted; 
   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip 2>/dev/null
semodule -b base.pp.bz2 -i $packages -s targeted; 
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :
semodule -r rhts 2>/dev/null || :
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :

# rpm -qf /usr/share/selinux/packages/rhts/rhts.pp
rhts-test-env-4.26-1.el6.noarch


I am really interested what I will see in this policy.

Comment 4 Daniel Walsh 2010-12-14 08:56:56 EST

Yes the test policy allows tools to write to tmp_t.  If you remove this policy traceroute_t would fail the write.

Note You need to log in before you can comment on or make changes to this bug.