Targeted policy does not allow lvm output redirection ?
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 16 17:52:39 UTC 2007
Davide Bolcioni wrote:
> Greetings,
> I tried the following:
>
> lvm vgs -o vg_name,vg_extent_size --units=k | cat > /tmp/vgs2
> lvm vgs -o vg_name,vg_extent_size --units=k > /tmp/vgs1
>
> and obtained
>
> -rw-r--r-- 1 root root 0 Apr 15 11:49 /tmp/vgs1
> -rw-r--r-- 1 root root 28 Apr 15 11:49 /tmp/vgs2
>
> but as you can see in the attached /var/log/audit.d/audit.log fragment,
> writing from an executable running in the lvm_t context to an object labeled
> with the tmp_t context is not allowed by the targeted policy.
>
> My setup:
>
> libselinux-1.33.4-2.fc6
> selinux-policy-targeted-2.4.6-49.fc6
> selinux-policy-2.4.6-49.fc6
>
> Should I open a Bugzilla for this ?
>
>
This is one of the tricky things about selinux. An admin can redirect
output from a confined domain to any directory, So writing policy to
allow output to all possible file_types is not good security or policy.
So this problem is really a difficult problem to solve. Allow confined
domains to write to /tmp just for redirection might not seem
unreasonable, but this could be an attack vector from a confined domains
against users.
BTW, you have a mislabeled .cache file. restorecon -v /etc/lvm/.cache
> Thank you for your consideration,
> Davide Bolcioni
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list