On 1/3/06, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > ping XYZ | cat > /home/dwalsh/myping > > > > It's actually the shell that opens the file for input or output > > redirection, so apparently SELinux is denying a write to a file > > that is already open for writing. Curious. > > SELinux rechecks access to open file descriptors when they are inherited > across execve (if the security context of the process is changing, e.g. > due to a domain transition, as in this case) and when they are > transferred via local IPC. That is necessary to control the propagation > of access rights in the system, required for mandatory access control. > SELinux also rechecks access upon use (e.g. read(2) and write(2)) when > possible to support limited revocation upon policy changes and object > relabels, but revocation is difficult to support completely. Would it be inappropriate add a compile time flag to bash to cause such redirection to always bounce through the shell? Obviously there would be a performance hit... but the mysterious failure is probably worse... -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
