2 Comments

  1. IooNag

    Thanks for your post. I think the path has been hex-encoded because it contains spaces (this being a consequence of being a deleted file). Here is a simple way to get such AVC with a webserver (requires being root and in permissive mode):

    cd /srv/http && touch "foo bar" &&chcon -t shadow_t "foo bar" && curl "http://localhost/foo%20bar"

    This triggers an AVC denial for “open” with path=2F7372762F687474702F666F6F20626172 (unless the web server has access to /etc/shadow).

    Moreover, with xxd, its possible to do echo 2F7372762F687474702F666F6F20626172 | xxd -p -r to get “/srv/http/foo bar”. This is shorter that your python command, but requires xxd to be installed.

Leave a Reply

Your email address will not be published. Required fields are marked *