On Thu, 2005-12-22 at 20:40 -0600, Robert Nichols wrote: > Daniel J Walsh wrote: > > ping runs under the ping_t domain and it is not allowed to write to the > > home dir. When you redirect in shell, shell has the application open > > the file which is not allowed. A hack to get around this problem is > > > > ping XYZ | cat > /home/dwalsh/myping > > It's actually the shell that opens the file for input or output > redirection, so apparently SELinux is denying a write to a file > that is already open for writing. Curious. SELinux rechecks access to open file descriptors when they are inherited across execve (if the security context of the process is changing, e.g. due to a domain transition, as in this case) and when they are transferred via local IPC. That is necessary to control the propagation of access rights in the system, required for mandatory access control. SELinux also rechecks access upon use (e.g. read(2) and write(2)) when possible to support limited revocation upon policy changes and object relabels, but revocation is difficult to support completely. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
