[patch] allow rpm_t to create/relabel device files too

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch] allow rpm_t to create/relabel device files too
@ 2004-08-04 15:26 Colin Walters
  2004-08-04 15:26 ` Daniel J Walsh
  0 siblings, 1 reply; 2+ messages in thread
From: Colin Walters @ 2004-08-04 15:26 UTC (permalink / raw)
  To: dwalsh, rcoker; +Cc: selinux


[-- Attachment #1.1: Type: text/plain, Size: 724 bytes --]

Hi,

The attached patch allows rpm_t to create/relabel device files - I
needed this when upgrading the "dev" package on my system.  I'm
surprised this hasn't been caught before, maybe I missed something.

Some AVC messages for reference:

Aug  4 11:11:43 decepticon kernel: audit(1091632303.691:0): avc:  denied  { getattr } for  pid=31094 exe=/usr/bin/python path=/dev/dri dev=sda2 ino=10111422 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir
Aug  4 11:16:50 decepticon kernel: audit(1091632610.920:0): avc:  denied  { relabelfrom } for  pid=31149 exe=/usr/bin/python name=dri dev=sda2 ino=10111422 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir


[-- Attachment #1.2: dev.patch --]
[-- Type: text/x-patch, Size: 1141 bytes --]

--- policy-1.15.11/domains/program/unused/rpm.te~	2004-07-31 06:22:37.000000000 -0400
+++ policy-1.15.11/domains/program/unused/rpm.te	2004-08-04 11:20:40.165411688 -0400
@@ -90,9 +90,9 @@
 general_domain_access(rpm_script_t)
 
 # read/write/create any files in the system
-allow rpm_t { file_type - shadow_t }:{ file lnk_file dir fifo_file sock_file chr_file blk_file } { relabelfrom relabelto };
-allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file chr_file blk_file } create_file_perms;
+allow rpm_t { file_type device_type -shadow_t }:{ file lnk_file dir fifo_file sock_file chr_file blk_file } { relabelfrom relabelto };
+allow rpm_t { file_type device_type - shadow_t }:dir create_dir_perms;
+allow rpm_t { file_type device_type - shadow_t }:{ file lnk_file fifo_file sock_file chr_file blk_file } create_file_perms;
 allow rpm_t sysfs_t:filesystem getattr;
 allow rpm_t tmpfs_t:filesystem getattr;
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [patch] allow rpm_t to create/relabel device files too
  2004-08-04 15:26 [patch] allow rpm_t to create/relabel device files too Colin Walters
@ 2004-08-04 15:26 ` Daniel J Walsh
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2004-08-04 15:26 UTC (permalink / raw)
  To: Colin Walters; +Cc: rcoker, selinux

Colin Walters wrote:

>Hi,
>
>The attached patch allows rpm_t to create/relabel device files - I
>needed this when upgrading the "dev" package on my system.  I'm
>surprised this hasn't been caught before, maybe I missed something.
>
>Some AVC messages for reference:
>
>Aug  4 11:11:43 decepticon kernel: audit(1091632303.691:0): avc:  denied  { getattr } for  pid=31094 exe=/usr/bin/python path=/dev/dri dev=sda2 ino=10111422 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir
>Aug  4 11:16:50 decepticon kernel: audit(1091632610.920:0): avc:  denied  { relabelfrom } for  pid=31149 exe=/usr/bin/python name=dri dev=sda2 ino=10111422 scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t tclass=dir
>
>  
>
The /dev/dri directory is mislabled.  It should be device_t.  The latest 
policy fixes this.

Dan

>------------------------------------------------------------------------
>
>--- policy-1.15.11/domains/program/unused/rpm.te~	2004-07-31 06:22:37.000000000 -0400
>+++ policy-1.15.11/domains/program/unused/rpm.te	2004-08-04 11:20:40.165411688 -0400
>@@ -90,9 +90,9 @@
> general_domain_access(rpm_script_t)
> 
> # read/write/create any files in the system
>-allow rpm_t { file_type - shadow_t }:{ file lnk_file dir fifo_file sock_file chr_file blk_file } { relabelfrom relabelto };
>-allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
>-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file chr_file blk_file } create_file_perms;
>+allow rpm_t { file_type device_type -shadow_t }:{ file lnk_file dir fifo_file sock_file chr_file blk_file } { relabelfrom relabelto };
>+allow rpm_t { file_type device_type - shadow_t }:dir create_dir_perms;
>+allow rpm_t { file_type device_type - shadow_t }:{ file lnk_file fifo_file sock_file chr_file blk_file } create_file_perms;
> allow rpm_t sysfs_t:filesystem getattr;
> allow rpm_t tmpfs_t:filesystem getattr;
> dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
>  
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-08-04 15:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-04 15:26 [patch] allow rpm_t to create/relabel device files too Colin Walters
2004-08-04 15:26 ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.