Bug 662962 - traceroute_t cannot write to tmp_t
traceroute_t cannot write to tmp_t
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Karel Srot
Depends On:
  Show dependency treegraph
Reported: 2010-12-14 04:34 EST by Karel Srot
Modified: 2011-02-10 03:14 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-02-10 03:14:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karel Srot 2010-12-14 04:34:46 EST
Description of problem:

Tools such as traceroute or nmap do have context traceroute_exec_t. 
traceroute_t is not allowed to read from/write to files with tmp_t context, also access directories with such context. Therefore I am e.g. unable to use nmap in the script and redirect the output into /tmp directory (I have to manually change the context of the output file e.g. to tmpfs_t prior the nmap execution).
Not sure whether this is intentional but this is allowed on RHEL6.

Version-Release number of selected component (if applicable):

Additional info:

# sesearch -s traceroute_t -c file -p write --allow
Found 3 av rules:
   allow traceroute_t traceroute_t : file { ioctl read write getattr lock append }; 
   allow traceroute_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow traceroute_t tmpfs_t : file { ioctl read write getattr lock append }; 

$ sesearch -s traceroute_t -t tmp_t -c file  --allow
Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
$ sesearch -s traceroute_t -t tmp_t -c dir  --allow
Found 1 semantic av rules:
   allow domain tmp_t : dir { getattr search open } ;
Comment 1 Miroslav Grepl 2010-12-14 07:15:31 EST
Are tools started from init script?

But strange is where the first rule comes from it. I am not seeing it in Fedora13 which has the same policy as the latest RHEL6 policy.

I mean

Found 1 semantic av rules:
   allow domain tmp_t : file { ioctl read write getattr lock append open } ;
Comment 2 Miroslav Grepl 2010-12-14 07:47:58 EST
(In reply to comment #1)
> Are tools started from init script?

If you run it in RHTS, you will need to add to your test script

traceroute localhost | cat > /tmp/testroute
Comment 3 Miroslav Grepl 2010-12-14 08:40:51 EST
Ok, I have found a culprit.

# rpm -qa --scripts | grep semodule
semodule -b base.pp.bz2 -i $packages -s targeted; 
   semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid -r polkit_auth -r polkit -r rtkit_daemon -r ModemManager -r telepathysofiasip 2>/dev/null
semodule -b base.pp.bz2 -i $packages -s targeted; 
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :
semodule -r rhts 2>/dev/null || :
semodule -i /usr/share/selinux/packages/rhts/rhts.pp 2>/dev/null || :

# rpm -qf /usr/share/selinux/packages/rhts/rhts.pp

I am really interested what I will see in this policy.
Comment 4 Daniel Walsh 2010-12-14 08:56:56 EST
Yes the test policy allows tools to write to tmp_t.  If you remove this policy traceroute_t would fail the write.

Note You need to log in before you can comment on or make changes to this bug.