Jason Johnson wrote:
> Hello all,
>
> I am using SELinux on the latest debian. It has a few access
> violations here and there, but the one that concerns me most is:
>
> kernel: [1298522.518701] type=1400 audit(1245126419.780:229): avc:
> denied { use } for pid=29944 comm="syslog-ng" path="/dev/null"
> dev=tmpfs ino=634 scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=fd
>
>
> /dev/null is:
>
> # semanage fcontext -l|grep null_device_t
> /dev/null character device
> system_u:object_r:null_device_t:s0
> /dev/full character device
> system_u:object_r:null_device_t:s0
>
>
> I don't see a way with semanage to set anything about class "fd" and
> sesearch didn't seem to turn anything up. How could /dev/null fd be
> in context logrotate_t?
The "fd" class represents a file descriptor object, not any filesystem
objects. For example, if you open the /tmp/aaa, this file belongs to
"file" class, but the file descriptor of the file belongs to "fd" class.
It seems to me the policy does not allow:
logrotate_use_fds(syslogd_t)
> I could just add an allow for this on a local module, but my concern
> is: can a user program just set arbitrary fd's to it's own target
> context as well?
The fd class inherits the security context of the process which opened
itself.
> I appreciate any insight you all can give.
>
> Sincerely,
> Jason
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
>
>
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
