I'm trying to configure tcpdump to save its packet captures to the directory `/var/log/tcpdumpd` while SELinux is set to enforcing mode. The directory has the correct context type of `var_log_t`, but SELinux prevents tcpdump from writing to it when I start my tcpdump systemd service with the command `systemctl start my-tcpdumpd.service`. Instead, I get an error saying `Couldn't change ownership of savefile`. This issue only occurs when SELinux is enforcing; it works fine in permissive mode. I verified that the directory is owned by root and has proper permissions (755), but I can't change the context to `pcap_data_t` either, because it doesn't exist. I generated a custom SELinux policy using `ausearch` and `audit2allow`, and I'm curious about how to construct the TE file to create a policy that allows tcpdump to save captures correctly. Any insights on how to proceed?
5 Answers
Check what user the tcpdump process runs as and ensure the log directory is owned by that user. This way, tcpdump won't have problems writing logs. Also, consider temporarily switching SELinux to Permissive when you run tcpdump to see if that resolves the issue.
You should try relabeling the directory with the `pcap_data_t` SELinux type, which is meant for tcpdump captures. You can use `semanage fcontext -a -t pcap_data_t "/var/log/tcpdumpd(/.*)?"` followed by `restorecon -Rv /var/log/tcpdumpd`. After that, check if the labeling worked with `ls -lZ /var/log/ | grep tcpdumpd`. Good luck!
For constructing your TE file, I recommend checking out a detailed guide on SELinux policies. It can get complex, but there's good info online. Alternatively, I’ve created policies before, and there's often extra code needed to specify access types. Just make sure to follow a consistent structure in your TE files. Would you like me to share some examples?
Don't forget to check the ownership of your files and directories. tcpdump needs certain permissions to write, especially since it often runs with lowered privileges after capturing traffic. You might need to give additional group permissions to the `/var/log/tcpdumpd/` directory for it to work properly.
I've already confirmed the ownership is set to root, and the permissions should allow for access. Is there a way to get tcpdump to keep its privileges longer to avoid these write issues?
You could also just set SELinux to Permissive while testing it temporarily. Just keep in mind that it's not a secure solution for a production environment.
I ran that command to set the context, but it threw an error saying `ValueError: Type pcap_data_t is invalid, must be a file or device type`. It looks like I need to create a custom SELinux policy to use the `pcap_data_t` label.