Curious Behavior doing routine redirection of ping output to (selinux: message 2 of 12) file...
Gregory Maxwell
gmaxwell at gmail.com
Tue Jan 3 19:11:45 UTC 2006
On 1/3/06, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > > ping XYZ | cat > /home/dwalsh/myping
> >
> > It's actually the shell that opens the file for input or output
> > redirection, so apparently SELinux is denying a write to a file
> > that is already open for writing. Curious.
>
> SELinux rechecks access to open file descriptors when they are inherited
> across execve (if the security context of the process is changing, e.g.
> due to a domain transition, as in this case) and when they are
> transferred via local IPC. That is necessary to control the propagation
> of access rights in the system, required for mandatory access control.
> SELinux also rechecks access upon use (e.g. read(2) and write(2)) when
> possible to support limited revocation upon policy changes and object
> relabels, but revocation is difficult to support completely.
Would it be inappropriate add a compile time flag to bash to cause
such redirection to always bounce through the shell? Obviously there
would be a performance hit... but the mysterious failure is probably
worse...
More information about the fedora-selinux-list
mailing list