[FC5] Wrong default context for hping2

Charles-Edouard Ruault ce at ruault.com
Thu Apr 6 16:09:33 UTC 2006


Hi All,

i've noticed that hping2 ( hping2-2.0.0-0.5.rc3 ) is not labeled with 
the correct security context.
The binary is labled with context ping_exec_t:
 -rwxr-xr-x  root     root     system_u:object_r:ping_exec_t    
/usr/sbin/hping2

But the ping_exec_t domain does not allow the creation of packet socket. 
Here's the audit log :
type=AVC msg=audit(1144338231.596:1933): avc:  denied  { create } for  
pid=17334 comm="hping2" scontext=user_u:system_r:ping_t:s0-s0:c0.c255 
tcontext=user_u:system_r:ping_t:s0-s0:c0.c255 tclass=packet_socket

To work around this issue, i simply changed the context of hping2 to 
sbin_t and it works fine.
The other option is to modify the ping_t domain to allow the creation of 
packet socket.
audit2allow yields the following rule:
allow ping_t self:packet_socket create;

I'll leave the decision up to the package maintainer !

-- 
Charles-Edouard Ruault
GPG key Id E4D2B80C




More information about the fedora-selinux-list mailing list