Curious Behavior doing routine redirection of ping output to (selinux: message 2 of 12) file...
Stephen Smalley
sds at tycho.nsa.gov
Tue Jan 3 15:00:37 UTC 2006
On Thu, 2005-12-22 at 20:40 -0600, Robert Nichols wrote:
> Daniel J Walsh wrote:
> > ping runs under the ping_t domain and it is not allowed to write to the
> > home dir. When you redirect in shell, shell has the application open
> > the file which is not allowed. A hack to get around this problem is
> >
> > ping XYZ | cat > /home/dwalsh/myping
>
> It's actually the shell that opens the file for input or output
> redirection, so apparently SELinux is denying a write to a file
> that is already open for writing. Curious.
SELinux rechecks access to open file descriptors when they are inherited
across execve (if the security context of the process is changing, e.g.
due to a domain transition, as in this case) and when they are
transferred via local IPC. That is necessary to control the propagation
of access rights in the system, required for mandatory access control.
SELinux also rechecks access upon use (e.g. read(2) and write(2)) when
possible to support limited revocation upon policy changes and object
relabels, but revocation is difficult to support completely.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list