selinux.funchords@xxxxxxxxxxxxx wrote:
I'm not exactly a "newbie," but I'm diving a lot deeper than
I ever have. This one has me a little wrapped around the axel, and
if someone could help clear the fog, I'd appreciate it.
The short version:
I'm trying to redirect the output of ping to a file. I get a 0
byte file as a result.
Where I am now:
When selinux is permissive, it works as I expect it to.
When this started, I had no idea that selinux was running or even what
it was, exactly (I've been running this system for about two weeks).
I've learned a lot since then. But I haven't figured out how to do
anything other than flip bits on existing boolean rules and change
the sestatus mode. For example, how do I fix the above problem?
Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced.
When this began, I posted a message to www.fedoraforum.org
( http://www.fedoraforum.org/forum/showthread.php?t=88238 )
with the title, "BASH: How to redirect ping output to file?"
Later, I found this from from /var/log/audit/audit.log ...
type=AVC msg=audit(1134599953.748:32): avc: denied { write } for
pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895
scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t
tclass=file
type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11
success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2
pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1134599953.748:32): path="/root/pingoutput2"
type=CWD msg=audit(1134599953.748:32): cwd="/root"
type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping"
flags=101 inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1134599953.748:32): item=1 flags=101 inode=5892482
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
... and I discovered the commands audit2why and audit2allow, which has
this example in the audit2allow man pages ...
$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
domains/misc/local.te <review domains/misc/local.te and customize as
desired>
$ make load
... and that's where my zero-byte stack blows.
I have no src directory under /etc/selinux/targeted, nor do I have
anything at all on my system named domains. Still, I tried to follow
the advice by mdkir'ing the necessary directories and creating a
local.te file with the recommended "allow ping_t user_home_t:file write;"
line in it.
Then I typed 'make load' and I really think I actually heard something
laugh at me.
This is the way I learn best, and this isn't anything more than a
curiousity to me. But from what I've told you so far, can you point
me into the right direction?
I did search the archive for this list, as well as the FC3 (which
also seemed to point to these directories that I don't have).
Thanks!
Robb Topolski
robb(at)funchords(dot)com
http://www.funchords.com
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Looks like you need to download the corresponding source for the policy
you are running e.g. selinux-policy-targeted-source for that audit2allow
and make load to work.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
