It is probably bug in SELinux policy with regards to semanage
binary (which has its own context semanage_t
) and /tmp
directory, which has its own context too - tmp_t
.
I was able to reproduce almost same results on my CentOS 5.6.
# file /tmp/users.txt
/tmp/users.txt: ERROR: cannot open `/tmp/users.txt' (No such file or directory)
# semanage login -l > /tmp/users.txt
# file /tmp/users.txt
/tmp/users.txt: empty
# semanage login -l >> /tmp/users.txt
# file /tmp/users.txt
/tmp/users.txt: empty
When I tried to use file in different directory I got normal results
# file /root/users.txt
/root/users.txt: ERROR: cannot open `/root/users.txt' (No such file or directory)
# semanage login -l > /root/users.txt
# file /root/users.txt
/root/users.txt: ASCII text
Difference between /tmp
and /root
is their contexts
# ls -Zd /root/
drwxr-x--- root root root:object_r:user_home_dir_t /root/
# ls -Zd /tmp/
drwxrwxrwt root root system_u:object_r:tmp_t /tmp/
And finally, after trying to redirect into file in /tmp
I have got following errors in /var/log/audit/audit.log
type=AVC msg=audit(1310971817.808:163242): avc: denied { write } for pid=10782 comm="semanage" path="/tmp/users.txt" dev=dm
-0 ino=37093377 scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1310971838.888:163255): avc: denied { append } for pid=11372 comm="semanage" path="/tmp/users.txt" dev=d
m-0 ino=37093377 scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
Interesting note: redirecting semanage
output to pipe works OK
#semanage login -l | tee /tmp/users.txt > /tmp/users1.txt
# file /tmp/users.txt
/tmp/users.txt: ASCII text
# file /tmp/users1.txt
/tmp/users1.txt: ASCII text
Parentheses denote a subshell in bash. To quote the man bash
page:
(list) list is executed in a subshell environment (see COMMAND
EXECUTION ENVIRONMENT below). Variable assignments and builtin
commands that affect the shell's environment do not remain in
effect after the command completes. The return status is the
exit status of list.
where a list
is just a normal sequence of commands.
This is actually quite portable and not specific to just bash
though. The POSIX Shell Command Language spec has the following description for the (compound-list)
syntax:
Execute compound-list in a subshell environment; see Shell Execution Environment. Variable assignments and built-in commands that affect the environment shall not remain in effect after the list finishes.
Best Answer
This is a backtick. A backtick is not a quotation sign. It has a very special meaning. Everything you type between backticks is evaluated (executed) by the shell before the main command (like
chown
in your examples), and the output of that execution is used by that command, just as if you'd type that output at that place in the command line.So, what
effectively runs (depending on your user ID) is:
Have a look at this question to learn why, in many situations, it is not a good idea to use backticks.
Btw, if you ever wanted to use a backtick literally, e.g. in a string, you can escape it by placing a backslash (
\
) before it.