Davide Bolcioni wrote:
This is one of the tricky things about selinux. An admin can redirect output from a confined domain to any directory, So writing policy to allow output to all possible file_types is not good security or policy. So this problem is really a difficult problem to solve. Allow confined domains to write to /tmp just for redirection might not seem unreasonable, but this could be an attack vector from a confined domains against users.Greetings, I tried the following: lvm vgs -o vg_name,vg_extent_size --units=k | cat > /tmp/vgs2 lvm vgs -o vg_name,vg_extent_size --units=k > /tmp/vgs1 and obtained -rw-r--r-- 1 root root 0 Apr 15 11:49 /tmp/vgs1 -rw-r--r-- 1 root root 28 Apr 15 11:49 /tmp/vgs2 but as you can see in the attached /var/log/audit.d/audit.log fragment,writing from an executable running in the lvm_t context to an object labeled with the tmp_t context is not allowed by the targeted policy.My setup: libselinux-1.33.4-2.fc6 selinux-policy-targeted-2.4.6-49.fc6 selinux-policy-2.4.6-49.fc6 Should I open a Bugzilla for this ?
BTW, you have a mislabeled .cache file. restorecon -v /etc/lvm/.cache
Thank you for your consideration, Davide Bolcioni-------------------------------------------------------------------------- fedora-selinux-list mailing list fedora-selinux-list redhat com https://www.redhat.com/mailman/listinfo/fedora-selinux-list