Description of problem: Tools such as traceroute or nmap do have context traceroute_exec_t. traceroute_t is not allowed to read from/write to files with tmp_t context, also access directories with such context. Therefore I am e.g. unable to use nmap in the script and redirect the output into /tmp directory (I have to manually change the context of the output file e.g. to tmpfs_t prior the nmap execution). Not sure whether this is intentional but this is allowed on RHEL6. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-279 selinux-policy-2.4.6-300 Additional info: On RHEL5: # sesearch -s traceroute_t -c file -p write --allow Found 3 av rules: allow traceroute_t traceroute_t : file { ioctl read write getattr lock append }; allow traceroute_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename }; allow traceroute_t tmpfs_t : file { ioctl read write getattr lock append }; On RHEL6: $ sesearch -s traceroute_t -t tmp_t -c file --allow Found 1 semantic av rules: allow domain tmp_t : file { ioctl read write getattr lock append open } ; $ sesearch -s traceroute_t -t tmp_t -c dir --allow Found 1 semantic av rules: allow domain tmp_t : dir { getattr search open } ;
Are tools started from init script? But strange is where the first rule comes from it. I am not seeing it in Fedora13 which has the same policy as the latest RHEL6 policy. I mean Found 1 semantic av rules: allow domain tmp_t : file { ioctl read write getattr lock append open } ;
(In reply to comment #1) > Are tools started from init script? > If you run it in RHTS, you will need to add to your test script traceroute localhost | cat > /tmp/testroute
Ok, I have found a culprit. # rpm -qa --scripts | grep semodule semodule -b base.pp.bz2 -i $packages -s targeted; semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip 2>/dev/null semodule -b base.pp.bz2 -i $packages -s targeted; semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || : semodule -r rhts 2>/dev/null || : semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || : # rpm -qf /usr/share/selinux/packages/rhts/rhts.pp rhts-test-env-4.26-1.el6.noarch I am really interested what I will see in this policy.
Yes the test policy allows tools to write to tmp_t. If you remove this policy traceroute_t would fail the write.