While studying for the RHCE, I came across a situation where stdin redirection does not work in bash
:
# file /tmp/users.txt
/tmp/users.txt: cannot open `/tmp/users.txt' (No such file or directory)
# semanage login -l > /tmp/users.txt
# file /tmp/users.txt
/tmp/users.txt: empty
However, this works:
# file /tmp/users.txt
/tmp/users.txt: cannot open `/tmp/users.txt' (No such file or directory)
# semanage login -l >> /tmp/users.txt
# file /tmp/users.txt
/tmp/users.txt: ASCII text
Why is this the case?
1st Update:
Permissions:
# ls -ld /tmp
drwxrwxrwt. 8 root root 4096 Jul 17 15:27 /tmp
ACLs (not an ACL mount but just in case):
# getfacl /tmp
getfacl: Removing leading '/' from absolute path names
# file: tmp
# owner: root
# group: root
# flags: --t
user::rwx
group::rwx
other::rwx
And I'm performing all commands as root
(hence the hash prompt).
2nd Update
Per Caleb, full permissions listing of /tmp
:
# ls -al /tmp
total 40
drwxrwxrwt. 8 root root 4096 Jul 17 15:37 .
dr-xr-xr-x. 26 root root 4096 Jul 17 15:07 ..
drwx------. 2 melmel melmel 4096 Jul 16 21:08 .esd-500
drwxrwxrwt. 2 root root 4096 Jul 17 15:07 .ICE-unix
drwx------. 2 gdm gdm 4096 Jul 17 15:08 orbit-gdm
drwx------. 2 gdm gdm 4096 Jul 17 15:07 pulse-5E9i88IGxaNh
drwx------. 2 melmel melmel 4096 Jul 16 21:08 pulse-329qCo13Xk
-rw-------. 1 root root 0 Jul 16 14:32 tmpXd9THg
-rw-------. 1 root root 0 Jul 16 12:55 tmpie0O98
-rw-------. 1 root root 0 Jul 16 20:23 tmpr10LrK
-r--r--r--. 1 root root 11 Jul 17 15:07 .X0-lock
drwxrwxrwt. 2 root root 4096 Jul 17 15:07 .X11-unix
-rw-r--r--. 1 root root 865 Jul 16 20:20 yum.conf.security
-rw-------. 1 root root 0 Jul 10 14:57 yum.log
3rd Update:
Per Hello71:
# mount | grep /tmp
# mount | grep -w '/'
/dev/mapper/vg_svr-tap-lv_root on / type ext4 (rw)
Answers to Gilles' questions:
Is this something you read about in a book, or did you reach this situation on a real machine?
Noticed this while performing a lab in a book on a real machine.
Is SELinux in use?
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Some Linux-on-Linux virtualisation?
Yes. KVM/QEMU guest.
I second Hello71's request, except please grep /tmp /proc/mounts
Nothing matches.
Also env | grep '^LD_' please.
Nothing matches.
Oh, and can we rule out active attacks
Yes we can. I'm the only one that has access to this guest.
Best Answer
It is probably bug in SELinux policy with regards to
semanage
binary (which has its own contextsemanage_t
) and/tmp
directory, which has its own context too -tmp_t
.I was able to reproduce almost same results on my CentOS 5.6.
When I tried to use file in different directory I got normal results
Difference between
/tmp
and/root
is their contextsAnd finally, after trying to redirect into file in
/tmp
I have got following errors in/var/log/audit/audit.log
Interesting note: redirecting
semanage
output to pipe works OK