-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/15/2013 03:48 AM, Tim.Einmahl@xxxxxx wrote: > Hi, > > I would like to know, how much risk is there setting allow_domain_fd_use to > 1? > > I am not totally sure about the security impact. Would that allow a process > in one domain to read files and sockets that have been opened by a another > domain? > > > Usually, I disable it, but from time to time I get error messages like: > > - type=AVC msg=audit(1381801383.801:31585): avc: denied { use } for > pid=25761 comm="mail" path="/dev/null" dev=devtmpfs ino=3656 > scontext=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd > > > type=AVC msg=audit(1381801383.801:31585): avc: denied { use } for > pid=25761 comm="mail" path="/dev/null" dev=devtmpfs ino=3656 > scontext=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd > > > type=SYSCALL msg=audit(1381801383.801:31585): arch=x86_64 syscall=execve > success=yes exit=0 a0=229fcd0 a1=229fd50 a2=229df90 a3=7fffb994eef0 items=0 > ppid=25741 pid=25761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=1677 comm=mail exe=/bin/mailx > subj=system_u:system_r:logrotate_mail_t:s0-s0:c0.c1023 key=(null) > > > On a hypervisor, I have to allow it, otherwise I get millions of messages > like > > type=SYSCALL msg=audit(1381823069.947:3240474): arch=c000003e syscall=0 > success=no exit=-13 a0=17 a1=7f9045c99ae4 a2=11000 a3=7fffa277af30 items=0 > ppid=1 pid=9616 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 > egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" > exe=2F7573722F6C6962657865632F71656D752D6B766D202864656C6574656429 > subj=system_u:system_r:svirt_t:s0:c559,c791 key=(null) type=AVC > msg=audit(1381823069.947:3240474): avc: denied { use } for pid=9616 > comm="qemu-kvm" path="/dev/net/tun" dev=devtmpfs ino=9274 > scontext=system_u:system_r:svirt_t:s0:c559,c791 > tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=fd > > > Regards Tim > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > We usually have this on by default. What OS/Policy version are you seeing this with? This basically means that one process can open a UID and pass it to another process either through a fork/exec or my fd passing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJdWvgACgkQrlYvE4MpobO4vACg4K//GUzRQRUXhDxkgBOPlAgD yN8AnRT0/EODAKYtkP5YrwIkpepwuXTA =iXdx -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux