refpolicy: patch for ldconfig from glibc 2.7

refpolicy: patch for ldconfig from glibc 2.7

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 1196 bytes --]

Hi,
I had some denials for ldconfig on Debian Sid. I took changes from
Fedora policy package - a patch attached. I grabed only things needed
to suppress denials below from Fedora.

audit(1203580520.435:11): avc:  denied  { read } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
audit(1203580520.435:12): avc:  denied  { getattr } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
audit(1203580520.907:13): avc:  denied  { write } for  pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
audit(1203580520.907:14): avc:  denied  { add_name } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
audit(1203580520.907:15): avc:  denied  { create } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
...

Thanks
-- 
Zito

[-- Attachment #2: libraries.ldconfig.patch --]
[-- Type: text/x-diff, Size: 1364 bytes --]

Index: policy/modules/system/libraries.fc
===================================================================
--- policy/modules/system/libraries.fc	(revision 2624)
+++ policy/modules/system/libraries.fc	(working copy)
@@ -304,3 +304,5 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/cache/ldconfig(/.*)?		    	gen_context(system_u:object_r:ldconfig_cache_t,s0)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te	(revision 2624)
+++ policy/modules/system/libraries.te	(working copy)
@@ -23,6 +23,9 @@
 init_system_domain(ldconfig_t,ldconfig_exec_t)
 role system_r types ldconfig_t;
 
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
 type ldconfig_tmp_t;
 files_tmp_file(ldconfig_tmp_t)
 
@@ -46,7 +49,9 @@
 
 allow ldconfig_t self:capability sys_chroot;
 
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
 files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)

Re: refpolicy: patch for ldconfig from glibc 2.7

[Christopher J. PeBenito]

On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote:
> Hi,
> I had some denials for ldconfig on Debian Sid. I took changes from
> Fedora policy package - a patch attached. I grabed only things needed
> to suppress denials below from Fedora.
> 
> audit(1203580520.435:11): avc:  denied  { read } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> audit(1203580520.435:12): avc:  denied  { getattr } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> audit(1203580520.907:13): avc:  denied  { write } for  pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> audit(1203580520.907:14): avc:  denied  { add_name } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> audit(1203580520.907:15): avc:  denied  { create } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

This is the right fix, and basically the same fix is queued up for
merging as part of Dan's patch set.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for ldconfig from glibc 2.7

[Václav Ovsík]

On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
> This is the right fix, and basically the same fix is queued up for
> merging as part of Dan's patch set.

Ok. Should I stop to send patches based on the Dan's Fedora policy?
-- 
Zito

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for ldconfig from glibc 2.7

[Christopher J. PeBenito]

On Mon, 2008-02-25 at 13:41 +0100, Václav Ovsík wrote:
> On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
> > This is the right fix, and basically the same fix is queued up for
> > merging as part of Dan's patch set.
> 
> Ok. Should I stop to send patches based on the Dan's Fedora policy?

No.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for ldconfig from glibc 2.7

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Václav Ovsík wrote:
> On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
>> This is the right fix, and basically the same fix is queued up for
>> merging as part of Dan's patch set.
> 
> Ok. Should I stop to send patches based on the Dan's Fedora policy?
No if more people report it, it gives a better indication that the
Fedora policy is correct.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfC0wEACgkQrlYvE4MpobPqvwCfTSDwtfvtgxx22/efWEkoHNl3
0AoAoKNOvowl7D40y0p+3kqlahWuWe9/
=VhCD
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for ldconfig from glibc 2.7, new patch

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 2627 bytes --]

Hi,
this is a completion of previos patch...

On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote:
> > Hi,
> > I had some denials for ldconfig on Debian Sid. I took changes from
> > Fedora policy package - a patch attached. I grabed only things needed
> > to suppress denials below from Fedora.
> > 
> > audit(1203580520.435:11): avc:  denied  { read } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > audit(1203580520.435:12): avc:  denied  { getattr } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > audit(1203580520.907:13): avc:  denied  { write } for  pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > audit(1203580520.907:14): avc:  denied  { add_name } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > audit(1203580520.907:15): avc:  denied  { create } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> 
> This is the right fix, and basically the same fix is queued up for
> merging as part of Dan's patch set.

When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
with run_init), then the ldconfig called from a postinst and/or a postrm
scripts of shared libs brings following denials:

Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file

The attached patch (wich replaces my previos patch) suppresses these messages.
Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
Fedora or Ubuntu solves this. (This could be added to.)

Regards
-- 
Zito

[-- Attachment #2: libraries.ldconfig.2.patch --]
[-- Type: text/x-diff, Size: 1621 bytes --]

Index: policy/modules/system/libraries.fc
===================================================================
--- policy/modules/system/libraries.fc	(revision 2626)
+++ policy/modules/system/libraries.fc	(working copy)
@@ -304,3 +304,5 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/cache/ldconfig(/.*)?		    	gen_context(system_u:object_r:ldconfig_cache_t,s0)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te	(revision 2626)
+++ policy/modules/system/libraries.te	(working copy)
@@ -23,6 +23,9 @@
 init_system_domain(ldconfig_t,ldconfig_exec_t)
 role system_r types ldconfig_t;
 
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
 type ldconfig_tmp_t;
 files_tmp_file(ldconfig_tmp_t)
 
@@ -46,7 +49,9 @@
 
 allow ldconfig_t self:capability sys_chroot;
 
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
 files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -103,3 +108,10 @@
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
+
+optional_policy(`
+	# ldconfig run from postinstall, postrm scripts on Debian...
+	apt_rw_pipes(ldconfig_t)
+	apt_use_fds(ldconfig_t)
+	term_use_generic_ptys(ldconfig_t)
+')

Re: refpolicy: patch for ldconfig from glibc 2.7, new patch

[Christopher J. PeBenito]

On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
> Hi,
> this is a completion of previos patch...
[...]
> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
> with run_init), then the ldconfig called from a postinst and/or a postrm
> scripts of shared libs brings following denials:
> 
> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> 
> The attached patch (wich replaces my previos patch) suppresses these messages.
> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
> Fedora or Ubuntu solves this. (This could be added to.)

The apt rules are fine, but there shouldn't be any more generic pty
usage anymore.  Are you using an older policy that doesn't have strict
and targeted merged (and unconfined_r)?

> @@ -103,3 +108,10 @@
>         # blow up.
>         rpm_manage_script_tmp_files(ldconfig_t)
>  ')
> +
> +optional_policy(`
> +       # ldconfig run from postinstall, postrm scripts on Debian...
> +       apt_rw_pipes(ldconfig_t)
> +       apt_use_fds(ldconfig_t)
> +       term_use_generic_ptys(ldconfig_t)
> +')
> 

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

[Martin Orr]

[-- Attachment #1: Type: text/plain, Size: 1849 bytes --]

On 29/02/08 13:46, Christopher J. PeBenito wrote:
> On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
>> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
>> with run_init), then the ldconfig called from a postinst and/or a postrm
>> scripts of shared libs brings following denials:
>>
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
>>
>> The attached patch (wich replaces my previos patch) suppresses these messages.
>> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
>> Fedora or Ubuntu solves this. (This could be added to.)
> 
> The apt rules are fine, but there shouldn't be any more generic pty
> usage anymore.  Are you using an older policy that doesn't have strict
> and targeted merged (and unconfined_r)?

It's because apt creates a pty of its own to run dpkg on, so it can log the
output.  (This is fairly recent - it has been in apt trunk since October.)

The attached patch is what I am using to deal with this.  (I'm not sure if
it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
but dontaudit is what the Debian policy package uses.)

Best wishes,

-- 
Martin Orr

[-- Attachment #2: 101_apt_dpkg_log --]
[-- Type: text/plain, Size: 4116 bytes --]

Written by: Martin Orr
with bits from:
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-12
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-13

Combines 501_apt_create_pty with bits from 365_apt_fixes

Cope with apt creating a new pty to run dpkg

Index: policy/modules/admin/apt.fc
===================================================================
--- policy/modules/admin/apt.fc.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.fc	2008-02-29 14:56:46.000000000 +0000
@@ -11,3 +11,6 @@
 # package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
Index: policy/modules/admin/apt.if
===================================================================
--- policy/modules/admin/apt.if.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.if	2008-02-29 14:56:46.000000000 +0000
@@ -92,6 +92,25 @@
 
 ########################################
 ## <summary>
+##     Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process attempting performing this action
+##      which should not be audited.
+##     </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Read and write an unnamed apt pipe.
 ## </summary>
 ## <param name="domain">
@@ -111,6 +130,24 @@
 
 ########################################
 ## <summary>
+##	Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read the apt package database.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.te	2008-02-29 14:57:02.000000000 +0000
@@ -1,5 +1,5 @@
 
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
 
 ########################################
 #
@@ -26,6 +26,13 @@
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
 ########################################
 #
 # apt Local policy
@@ -97,6 +104,7 @@
 
 fs_getattr_all_fs(apt_t)
 
+term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
 
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/dpkg.te	2008-02-29 14:56:46.000000000 +0000
@@ -172,6 +172,10 @@
 # since the scripts aren't labeled correctly yet...
 allow dpkg_t dpkg_var_lib_t:file execute;
 
+optional_policy(`
+	apt_use_ptys(dpkg_t)
+')
+
 # TODO: allow?
 #optional_policy(`
 #	cron_system_entry(dpkg_t,dpkg_exec_t)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/system/libraries.te	2008-02-29 14:56:46.000000000 +0000
@@ -98,6 +98,11 @@
 ')
 
 optional_policy(`
+	apt_dontaudit_use_fds(ldconfig_t)
+	apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it.  If you dont allow this kernel installs 
 	# blow up.

Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

[Christopher J. PeBenito]

On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote:
> On 29/02/08 13:46, Christopher J. PeBenito wrote:
> > On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
> >> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
> >> with run_init), then the ldconfig called from a postinst and/or a postrm
> >> scripts of shared libs brings following denials:
> >>
> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> >>
> >> The attached patch (wich replaces my previos patch) suppresses these messages.
> >> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
> >> Fedora or Ubuntu solves this. (This could be added to.)
> > 
> > The apt rules are fine, but there shouldn't be any more generic pty
> > usage anymore.  Are you using an older policy that doesn't have strict
> > and targeted merged (and unconfined_r)?
> 
> It's because apt creates a pty of its own to run dpkg on, so it can log the
> output.  (This is fairly recent - it has been in apt trunk since October.)

Makes sense.

> The attached patch is what I am using to deal with this.  (I'm not sure if
> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
> but dontaudit is what the Debian policy package uses.)

You probably want to allow it otherwise ldconfig won't inherit the fds
that point to the apt pty.  By denying the inheritance on an enforcing
system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose
any ldconfig output.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

[Martin Orr]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On 29/02/08 16:32, Christopher J. PeBenito wrote:
> On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote:
>> The attached patch is what I am using to deal with this.  (I'm not sure if
>> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
>> but dontaudit is what the Debian policy package uses.)
> 
> You probably want to allow it otherwise ldconfig won't inherit the fds
> that point to the apt pty.  By denying the inheritance on an enforcing
> system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose
> any ldconfig output.

Here's an updated patch, with apt_use_fds(ldconfig_t).  This also lets
dpkg_t and dpkg_script_t use initrc ptys, so that se_dpkg works.

Best wishes,

-- 
Martin Orr

[-- Attachment #2: 101_apt_dpkg_ptys --]
[-- Type: text/plain, Size: 3993 bytes --]

Written by: Martin Orr
with bits from:
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-12
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-13

Combines 501_apt_create_pty 365_apt_fixes

Cope with apt creating a new pty to run dpkg
Also let dpkg use initrc ptys for se_dpkg

Index: policy/modules/admin/apt.fc
===================================================================
--- policy/modules/admin/apt.fc.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/apt.fc	2008-03-01 13:38:16.000000000 +0000
@@ -11,3 +11,6 @@
 # package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
Index: policy/modules/admin/apt.if
===================================================================
--- policy/modules/admin/apt.if.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/apt.if	2008-03-01 13:38:16.000000000 +0000
@@ -111,6 +111,24 @@
 
 ########################################
 ## <summary>
+##	Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read the apt package database.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/apt.te	2008-03-01 14:53:50.000000000 +0000
@@ -1,5 +1,5 @@
 
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
 
 ########################################
 #
@@ -26,6 +26,13 @@
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
 ########################################
 #
 # apt Local policy
@@ -97,6 +104,7 @@
 
 fs_getattr_all_fs(apt_t)
 
+term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
 
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/dpkg.te	2008-03-01 14:53:48.000000000 +0000
@@ -150,6 +150,7 @@
 files_exec_etc_files(dpkg_t)
 
 init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
 
 libs_use_ld_so(dpkg_t)
 libs_use_shared_libs(dpkg_t)
@@ -172,6 +173,10 @@
 # since the scripts aren't labeled correctly yet...
 allow dpkg_t dpkg_var_lib_t:file execute;
 
+optional_policy(`
+	apt_use_ptys(dpkg_t)
+')
+
 # TODO: allow?
 #optional_policy(`
 #	cron_system_entry(dpkg_t,dpkg_exec_t)
@@ -290,6 +295,7 @@
 auth_manage_all_files_except_shadow(dpkg_script_t)
 
 init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
 
 libs_use_ld_so(dpkg_script_t)
 libs_use_shared_libs(dpkg_script_t)
@@ -314,6 +320,11 @@
 ')
 
 optional_policy(`
+	apt_rw_pipes(dpkg_script_t)
+	apt_use_fds(dpkg_script_t)
+')
+
+optional_policy(`
 	bootloader_domtrans(dpkg_script_t)
 ')
 
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/system/libraries.te	2008-03-01 14:48:40.000000000 +0000
@@ -98,6 +98,12 @@
 ')
 
 optional_policy(`
+	apt_rw_pipes(ldconfig_t)
+	apt_use_fds(ldconfig_t)
+	apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it.  If you dont allow this kernel installs 
 	# blow up.

Re: refpolicy: patch for ldconfig from glibc 2.7, new patch

[Václav Ovsík]

On Fri, Feb 29, 2008 at 08:46:01AM -0500, Christopher J. PeBenito wrote:
>...
> The apt rules are fine, but there shouldn't be any more generic pty
> usage anymore.  Are you using an older policy that doesn't have strict
> and targeted merged (and unconfined_r)?

Policy is HEAD. I did a bad work. When I got the denial, I simply grep
policy files for macro that best fits :(.  I assume, that context for pty
was interited from parent directory (devpts_t). Martin did fine analyse.

I tried to install small shlib, insert `ls -laZ /dev/pts' into its
postrm script and remove it:

sid:~# se_apt-get remove libcdb1
Authenticating root.
Password: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  libcdb1
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 36.9kB disk space will be freed.
(Reading database ... 68022 files and directories currently installed.)
Removing libcdb1 ...
total 0
drwxr-xr-x+  2 root root system_u:object_r:devpts_t:s0             0 Feb 29 16:17 .
drwxr-xr-x+ 11 root root system_u:object_r:device_t:s0          2440 Feb 29 16:17 ..
crw-------+  1 zito tty  staff_u:object_r:sysadm_devpts_t:s0  136, 0 Feb 29 16:26 0
crw--w----+  1 root tty  system_u:object_r:initrc_devpts_t:s0 136, 1 Feb 29 16:26 1
crw--w----+  1 root tty  system_u:object_r:devpts_t:s0        136, 2 Feb 29 16:26 2
sid:~# 

and denial (I commented out `term_use_generic_ptys(ldconfig_t)':

audit(1204298770.142:5): avc:  denied  { read write } for  pid=1762 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file


On Fri, Feb 29, 2008 at 03:29:02PM +0000, Martin Orr wrote:
>...
> It's because apt creates a pty of its own to run dpkg on, so it can log the
> output.  (This is fairly recent - it has been in apt trunk since October.)
> 
> The attached patch is what I am using to deal with this.  (I'm not sure if
> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
> but dontaudit is what the Debian policy package uses.)
>...

Fine, I took your changes. Thanks.


On Fri, Feb 29, 2008 at 11:32:29AM -0500, Christopher J. PeBenito wrote:
>...
> > The attached patch is what I am using to deal with this.  (I'm not sure if
> > it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
> > but dontaudit is what the Debian policy package uses.)
> 
> You probably want to allow it otherwise ldconfig won't inherit the fds
> that point to the apt pty.  By denying the inheritance on an enforcing
> system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose
> any ldconfig output.

Ok. I did a similar experiment with the patch from Martin but without
`apt_dontaudit_use_fds(ldconfig_t)'.  I added option -v to ldconfig, so
it could create some output and `ls -laZ /dev/pts'.
In permissive mode:

total 0
drwxr-xr-x+  2 root root system_u:object_r:devpts_t:s0             0 Mar  4 15:29 .
drwxr-xr-x+ 11 root root system_u:object_r:device_t:s0          2440 Mar  4 15:31 ..
crw-------+  1 zito tty  staff_u:object_r:sysadm_devpts_t:s0  136, 0 Mar  4 15:41 0
crw--w----+  1 root tty  system_u:object_r:initrc_devpts_t:s0 136, 1 Mar  4 15:41 1
crw--w----+  1 root tty  system_u:object_r:apt_devpts_t:s0    136, 2 Mar  4 15:41 2
ldconfig: Can't stat /lib64: No such file or directory
/lib/i486-linux-gnu:
/usr/lib/i486-linux-gnu:
/usr/local/lib:
/lib:
        libsemanage.so.1 -> libsemanage.so.1
        libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
        libwrap.so.0 -> libwrap.so.0.7.6
        libusb-0.1.so.4 -> libusb-0.1.so.4.4.4
        libreadline.so.5 -> libreadline.so.5.2
...

and denial:

sid login: audit(1204641693.561:8): avc:  denied  { use } for  pid=1983 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd

I restart machine in enforced mode and did the same, but no output from
ldconfig was visible and denials like the above appeared. Listing of
directory /dev/pts was disallowed too (some dontaudit rules probably).

Then I added `apt_use_fds(ldconfig_t)', rebuild the policy and try in
permissive mode:

sid:~# se_apt-get install libcdb1
Authenticating root.
Password: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  libcdb1
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/11.9kB of archives.
After this operation, 36.9kB of additional disk space will be used.
Selecting previously deselected package libcdb1.
(Reading database ... 68018 files and directories currently installed.)
Unpacking libcdb1 (from .../archives/libcdb1_0.76_i386.deb) ...
Setting up libcdb1 (0.76) ...
sid:~# vim /var/lib/dpkg/info/libcdb1.postrm 
sid:~# cat /var/lib/dpkg/info/libcdb1.postrm
#!/bin/sh
set -e
# Automatically added by dh_makeshlibs
if [ "$1" = "remove" ]; then
        ldconfig -v
fi
# End automatically added section
sid:~# load_policy 
sid:~# se_apt-get remove libcdb1
Authenticating root.
Password: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  libcdb1
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 36.9kB disk space will be freed.
(Reading database ... 68022 files and directories currently installed.)
Removing libcdb1 ...
ldconfig: Can't stat /lib64: No such file or directory
/lib/i486-linux-gnu:
/usr/lib/i486-linux-gnu:
/usr/local/lib:
/lib:
        libsemanage.so.1 -> libsemanage.so.1
        libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2
        libwrap.so.0 -> libwrap.so.0.7.6
        libusb-0.1.so.4 -> libusb-0.1.so.4.4.4
...

no denials

I think, that Martin Orr patch is usable fine, but using of apt file
descriptors by ldconfig should be allowed. Martin please review this.

I'm going to learn GNU Arch as penalty for my hasty patch last time. :)
Just kiding, knowing GNU Arch will be worth!

Best Regards
-- 
Zito

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

[Václav Ovsík]

Sorry for my futile mail. Must remake procmail rules. I found Martin
mail from March 1st right now in different mailbox.
-- 
Zito

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc2.7, new patch

[Christopher J. PeBenito]

On Sat, 2008-03-01 at 14:54 +0000, Martin Orr wrote:
> On 29/02/08 16:32, Christopher J. PeBenito wrote:
> > On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote:
> >> The attached patch is what I am using to deal with this.  (I'm not sure if
> >> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
> >> but dontaudit is what the Debian policy package uses.)
> > 
> > You probably want to allow it otherwise ldconfig won't inherit the fds
> > that point to the apt pty.  By denying the inheritance on an enforcing
> > system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose
> > any ldconfig output.
> 
> Here's an updated patch, with apt_use_fds(ldconfig_t).  This also lets
> dpkg_t and dpkg_script_t use initrc ptys, so that se_dpkg works.

Merged.

> @@ -1,5 +1,5 @@
>  
> -policy_module(apt,1.3.0)
> +policy_module(apt,1.3.1)
>  

In the future please don't submit patches with module version changes.
It may change between the time you make the patch, and the time I apply
it, which may cause patches not to apply.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy: patch for ldconfig from glibc 2.7

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 1693 bytes --]

Hi,
there is a message with a patch
http://marc.info/?l=selinux&m=120369420620609&w=2
in February 2008.

On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote:
> > Hi,
> > I had some denials for ldconfig on Debian Sid. I took changes from
> > Fedora policy package - a patch attached. I grabed only things needed
> > to suppress denials below from Fedora.
> > 
> > audit(1203580520.435:11): avc:  denied  { read } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > audit(1203580520.435:12): avc:  denied  { getattr } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > audit(1203580520.907:13): avc:  denied  { write } for  pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > audit(1203580520.907:14): avc:  denied  { add_name } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > audit(1203580520.907:15): avc:  denied  { create } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> 
> This is the right fix, and basically the same fix is queued up for
> merging as part of Dan's patch set.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150

Can be this patch merged as-is?
(Attached again.)
-- 
Zito

[-- Attachment #2: libraries.ldconfig.patch --]
[-- Type: text/x-diff, Size: 1364 bytes --]

Index: policy/modules/system/libraries.fc
===================================================================
--- policy/modules/system/libraries.fc	(revision 2624)
+++ policy/modules/system/libraries.fc	(working copy)
@@ -304,3 +304,5 @@
 /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
 /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/cache/ldconfig(/.*)?		    	gen_context(system_u:object_r:ldconfig_cache_t,s0)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te	(revision 2624)
+++ policy/modules/system/libraries.te	(working copy)
@@ -23,6 +23,9 @@
 init_system_domain(ldconfig_t,ldconfig_exec_t)
 role system_r types ldconfig_t;
 
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
 type ldconfig_tmp_t;
 files_tmp_file(ldconfig_tmp_t)
 
@@ -46,7 +49,9 @@
 
 allow ldconfig_t self:capability sys_chroot;
 
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
 files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
 
 manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)

Re: refpolicy: patch for ldconfig from glibc 2.7

[Christopher J. PeBenito]

On Tue, 2008-08-12 at 17:30 +0200, Václav Ovsík wrote:
> Hi,
> there is a message with a patch
> http://marc.info/?l=selinux&m=120369420620609&w=2
> in February 2008.

Merged.

> On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
> > On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote:
> > > Hi,
> > > I had some denials for ldconfig on Debian Sid. I took changes from
> > > Fedora policy package - a patch attached. I grabed only things needed
> > > to suppress denials below from Fedora.
> > > 
> > > audit(1203580520.435:11): avc:  denied  { read } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > > audit(1203580520.435:12): avc:  denied  { getattr } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > > audit(1203580520.907:13): avc:  denied  { write } for  pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > > audit(1203580520.907:14): avc:  denied  { add_name } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > > audit(1203580520.907:15): avc:  denied  { create } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > 
> > This is the right fix, and basically the same fix is queued up for
> > merging as part of Dan's patch set.
> 
> Can be this patch merged as-is?
> (Attached again.)
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.