From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: "Stefan Schulze Frielinghaus" <stefan@seekline.net>
Cc: "Václav Ovsík" <vaclav.ovsik@i.cz>,
selinux@tycho.nsa.gov, selinux-devel@lists.alioth.debian.org
Subject: Re: refpolicy: domains need access to the apt's pty and fifos
Date: Mon, 10 Mar 2008 13:39:49 -0400 [thread overview]
Message-ID: <1205170789.25555.20.camel@gorn> (raw)
In-Reply-To: <1204925012.2788.5.camel@vogon>
On Fri, 2008-03-07 at 22:23 +0100, Stefan Schulze Frielinghaus wrote:
> On Wed, 2008-03-05 at 16:23 +0100, Václav Ovsík wrote:
> > Hi,
> > running Debian Sid with HEAD refpolicy...
> > I tried to install bind9 and got some further denials for access to pty
> > and pipe of apt_t domain. This is a continuation of the patch from
> > Martin Orr in thread "refpolicy: patch for ldconfig from glibc 2.7...",
> > witch was about apt finally.
> >
> > sid:/var/lib/dpkg/info# se_apt-get install bind9
> > Authenticating root.
> > Password:
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > The following extra packages will be installed:
> > libbind9-30 libdns32 libisc32 libisccc30 libisccfg30 liblwres30
> > Suggested packages:
> > bind9-doc dnsutils resolvconf
> > The following NEW packages will be installed:
> > bind9 libbind9-30 libdns32 libisc32 libisccc30 libisccfg30 liblwres30
> > 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
> > Need to get 1005kB of archives.
> > After this operation, 2789kB of additional disk space will be used.
> > Get:1 http://xenbr0.localdomain sid/main libisc32 1:9.4.2-4 [126kB]
> > Get:2 http://xenbr0.localdomain sid/main libdns32 1:9.4.2-4 [491kB]
> > Get:3 http://xenbr0.localdomain sid/main libisccc30 1:9.4.2-4 [22.3kB]
> > Get:4 http://xenbr0.localdomain sid/main libisccfg30 1:9.4.2-4 [37.8kB]
> > Get:5 http://xenbr0.localdomain sid/main libbind9-30 1:9.4.2-4 [26.1kB]
> > Get:6 http://xenbr0.localdomain sid/main liblwres30 1:9.4.2-4 [39.5kB]
> > Get:7 http://xenbr0.localdomain sid/main bind9 1:9.4.2-4 [262kB]
> > Fetched 1005kB in 0s (3524kB/s)
> > Selecting previously deselected package libisc32.
> > (Reading database ... 68006 files and directories currently installed.)
> > Unpacking libisc32 (from .../libisc32_1%3a9.4.2-4_i386.deb) ...
> > Selecting previously deselected package libdns32.
> > Unpacking libdns32 (from .../libdns32_1%3a9.4.2-4_i386.deb) ...
> > Selecting previously deselected package libisccc30.
> > Unpacking libisccc30 (from .../libisccc30_1%3a9.4.2-4_i386.deb) ...
> > Selecting previously deselected package libisccfg30.
> > Unpacking libisccfg30 (from .../libisccfg30_1%3a9.4.2-4_i386.deb) ...
> > Selecting previously deselected package libbind9-30.
> > Unpacking libbind9-30 (from .../libbind9-30_1%3a9.4.2-4_i386.deb) ...
> > Selecting previously deselected package liblwres30.
> > Unpacking liblwres30 (from .../liblwres30_1%3a9.4.2-4_i386.deb) ...
> > Selecting previously deselected package bind9.
> > Unpacking bind9 (from .../bind9_1%3a9.4.2-4_i386.deb) ...
> > Setting up libisc32 (1:9.4.2-4) ...
> > Setting up libdns32 (1:9.4.2-4) ...
> > Setting up libisccc30 (1:9.4.2-4) ...
> > Setting up libisccfg30 (1:9.4.2-4) ...
> > Setting up libbind9-30 (1:9.4.2-4) ...
> > Setting up liblwres30 (1:9.4.2-4) ...
> > Setting up bind9 (1:9.4.2-4) ...
> > Adding group `bind' (GID 116) ...
> > Done.
> > Adding system user `bind' (UID 110) ...
> > Adding new user `bind' (UID 110) with group `bind' ...
> > Not creating home directory `/var/cache/bind'.
> > wrote key file "/etc/bind/rndc.key"
> > Starting domain name service...: bind.
> >
> > and denials:
> >
> > audit(1204723888.180:9): avc: denied { use } for pid=2164 comm="groupadd" name="3" dev=devpts ino=5 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> > audit(1204723888.180:10): avc: denied { write } for pid=2164 comm="groupadd" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> > audit(1204723888.428:11): avc: denied { use } for pid=2170 comm="useradd" name="3" dev=devpts ino=5 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> > audit(1204723888.428:12): avc: denied { write } for pid=2170 comm="useradd" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> > audit(1204723890.340:13): avc: denied { read write } for pid=2235 comm="modprobe" name="3" dev=devpts ino=5 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file
> > audit(1204723890.340:14): avc: denied { use } for pid=2235 comm="modprobe" name="3" dev=devpts ino=5 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> > audit(1204723890.340:15): avc: denied { write } for pid=2235 comm="modprobe" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> > audit(1204723890.588:16): avc: denied { use } for pid=2239 comm="ifconfig" name="3" dev=devpts ino=5 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> > audit(1204723890.588:17): avc: denied { write } for pid=2239 comm="ifconfig" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> > audit(1204723890.620:18): avc: denied { read write } for pid=2240 comm="named" name="3" dev=devpts ino=5 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file
> > audit(1204723890.620:19): avc: denied { use } for pid=2240 comm="named" name="3" dev=devpts ino=5 scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> > audit(1204723890.620:20): avc: denied { write } for pid=2240 comm="named" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> >
> >
> > I tried also to install kernel image and got denials:
> >
> > audit(1204727223.717:45): avc: denied { read write } for pid=2844 comm="depmod" name="3" dev=devpts ino=5 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file
> > audit(1204727223.717:46): avc: denied { use } for pid=2844 comm="depmod" name="3" dev=devpts ino=5 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> > audit(1204727223.717:47): avc: denied { write } for pid=2844 comm="depmod" name="[99536]" dev=pipefs ino=99536 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> >
> >
> > Attached patch solves the most of this denials, but I doubt this is the
> > right way. Should be used some attribute for this? I noticed attribute
> > privfd and macro domain_interactive_fd(), what about it? Rpm already
> > has such macro calls
> > ./policy/modules/admin/rpm.te:domain_interactive_fd(rpm_t)
> > ./policy/modules/admin/rpm.te:domain_interactive_fd(rpm_script_t)
> >
> > I tried to use this macro for apt_t, and all use fd denials above are
> > solved with it. Should be things done in this way?
> >
> > Thanks for comments.
>
> I think it is not really nice to have all these allow rules directly in
> the modules. A similar discussion can be found here:
> http://marc.info/?l=selinux&m=118707242005853&w=2
>
> Especially the first replay of Stephen Smalley pointing out how rpm
> solves this via domain.if: rpm_use_fds($1) and rpm_read_pipes($1)
>
> If I had to choose between the several fixes for every module or the
> "rpm-way" to allow all usage of file descriptors and read permissions
> then I would vote for the latter.
A better option might be to mimic the inheritance of fds and pipes.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2008-03-10 18:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-05 15:23 refpolicy: domains need access to the apt's pty and fifos Václav Ovsík
2008-03-05 16:24 ` [DSE-Dev] " Erich Schubert
2008-03-06 10:17 ` Russell Coker
2008-03-06 12:13 ` Erich Schubert
2008-03-06 12:46 ` Russell Coker
2008-03-21 7:31 ` Václav Ovsík
2008-03-26 15:57 ` Christopher J. PeBenito
2008-03-26 21:18 ` Martin Orr
2008-04-23 10:30 ` Václav Ovsík
2008-04-24 8:42 ` Václav Ovsík
2008-04-24 14:34 ` Christopher J. PeBenito
2008-03-07 21:23 ` Stefan Schulze Frielinghaus
2008-03-10 17:39 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1205170789.25555.20.camel@gorn \
--to=cpebenito@tresys.com \
--cc=selinux-devel@lists.alioth.debian.org \
--cc=selinux@tycho.nsa.gov \
--cc=stefan@seekline.net \
--cc=vaclav.ovsik@i.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.