Davide Bolcioni wrote:
Greetings,
I tried the following:
lvm vgs -o vg_name,vg_extent_size --units=k | cat > /tmp/vgs2
lvm vgs -o vg_name,vg_extent_size --units=k > /tmp/vgs1
and obtained
-rw-r--r-- 1 root root 0 Apr 15 11:49 /tmp/vgs1
-rw-r--r-- 1 root root 28 Apr 15 11:49 /tmp/vgs2
but as you can see in the attached /var/log/audit.d/audit.log fragment,
writing from an executable running in the lvm_t context to an object labeled
with the tmp_t context is not allowed by the targeted policy.
My setup:
libselinux-1.33.4-2.fc6
selinux-policy-targeted-2.4.6-49.fc6
selinux-policy-2.4.6-49.fc6
Should I open a Bugzilla for this ?
This is one of the tricky things about selinux. An admin can redirect
output from a confined domain to any directory, So writing policy to
allow output to all possible file_types is not good security or policy.
So this problem is really a difficult problem to solve. Allow confined
domains to write to /tmp just for redirection might not seem
unreasonable, but this could be an attack vector from a confined domains
against users.
BTW, you have a mislabeled .cache file. restorecon -v /etc/lvm/.cache
Thank you for your consideration,
Davide Bolcioni
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
