* refpolicy: patch for ldconfig from glibc 2.7
@ 2008-02-22 15:27 Václav Ovsík
2008-02-22 18:05 ` Christopher J. PeBenito
2008-08-12 15:30 ` refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík
0 siblings, 2 replies; 15+ messages in thread
From: Václav Ovsík @ 2008-02-22 15:27 UTC (permalink / raw)
To: selinux, selinux-devel
[-- Attachment #1: Type: text/plain, Size: 1196 bytes --]
Hi,
I had some denials for ldconfig on Debian Sid. I took changes from
Fedora policy package - a patch attached. I grabed only things needed
to suppress denials below from Fedora.
audit(1203580520.435:11): avc: denied { read } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
audit(1203580520.435:12): avc: denied { getattr } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
audit(1203580520.907:13): avc: denied { write } for pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
audit(1203580520.907:14): avc: denied { add_name } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
audit(1203580520.907:15): avc: denied { create } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
...
Thanks
--
Zito
[-- Attachment #2: libraries.ldconfig.patch --]
[-- Type: text/x-diff, Size: 1364 bytes --]
Index: policy/modules/system/libraries.fc
===================================================================
--- policy/modules/system/libraries.fc (revision 2624)
+++ policy/modules/system/libraries.fc (working copy)
@@ -304,3 +304,5 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te (revision 2624)
+++ policy/modules/system/libraries.te (working copy)
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)
@@ -46,7 +49,9 @@
allow ldconfig_t self:capability sys_chroot;
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: refpolicy: patch for ldconfig from glibc 2.7 2008-02-22 15:27 refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík @ 2008-02-22 18:05 ` Christopher J. PeBenito 2008-02-25 12:41 ` Václav Ovsík 2008-02-29 7:21 ` refpolicy: patch for ldconfig from glibc 2.7, new patch Václav Ovsík 2008-08-12 15:30 ` refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík 1 sibling, 2 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-22 18:05 UTC (permalink / raw) To: Václav Ovsík; +Cc: selinux, selinux-devel On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote: > Hi, > I had some denials for ldconfig on Debian Sid. I took changes from > Fedora policy package - a patch attached. I grabed only things needed > to suppress denials below from Fedora. > > audit(1203580520.435:11): avc: denied { read } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > audit(1203580520.435:12): avc: denied { getattr } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > audit(1203580520.907:13): avc: denied { write } for pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > audit(1203580520.907:14): avc: denied { add_name } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > audit(1203580520.907:15): avc: denied { create } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file This is the right fix, and basically the same fix is queued up for merging as part of Dan's patch set. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7 2008-02-22 18:05 ` Christopher J. PeBenito @ 2008-02-25 12:41 ` Václav Ovsík 2008-02-25 13:40 ` Christopher J. PeBenito 2008-02-25 14:38 ` Daniel J Walsh 2008-02-29 7:21 ` refpolicy: patch for ldconfig from glibc 2.7, new patch Václav Ovsík 1 sibling, 2 replies; 15+ messages in thread From: Václav Ovsík @ 2008-02-25 12:41 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux, selinux-devel On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote: > This is the right fix, and basically the same fix is queued up for > merging as part of Dan's patch set. Ok. Should I stop to send patches based on the Dan's Fedora policy? -- Zito -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7 2008-02-25 12:41 ` Václav Ovsík @ 2008-02-25 13:40 ` Christopher J. PeBenito 2008-02-25 14:38 ` Daniel J Walsh 1 sibling, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-25 13:40 UTC (permalink / raw) To: Václav Ovsík; +Cc: selinux, selinux-devel On Mon, 2008-02-25 at 13:41 +0100, Václav Ovsík wrote: > On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote: > > This is the right fix, and basically the same fix is queued up for > > merging as part of Dan's patch set. > > Ok. Should I stop to send patches based on the Dan's Fedora policy? No. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7 2008-02-25 12:41 ` Václav Ovsík 2008-02-25 13:40 ` Christopher J. PeBenito @ 2008-02-25 14:38 ` Daniel J Walsh 1 sibling, 0 replies; 15+ messages in thread From: Daniel J Walsh @ 2008-02-25 14:38 UTC (permalink / raw) To: Václav Ovsík; +Cc: Christopher J. PeBenito, selinux, selinux-devel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Václav Ovsík wrote: > On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote: >> This is the right fix, and basically the same fix is queued up for >> merging as part of Dan's patch set. > > Ok. Should I stop to send patches based on the Dan's Fedora policy? No if more people report it, it gives a better indication that the Fedora policy is correct. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfC0wEACgkQrlYvE4MpobPqvwCfTSDwtfvtgxx22/efWEkoHNl3 0AoAoKNOvowl7D40y0p+3kqlahWuWe9/ =VhCD -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-02-22 18:05 ` Christopher J. PeBenito 2008-02-25 12:41 ` Václav Ovsík @ 2008-02-29 7:21 ` Václav Ovsík 2008-02-29 13:46 ` Christopher J. PeBenito 1 sibling, 1 reply; 15+ messages in thread From: Václav Ovsík @ 2008-02-29 7:21 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux, selinux-devel [-- Attachment #1: Type: text/plain, Size: 2627 bytes --] Hi, this is a completion of previos patch... On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote: > On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote: > > Hi, > > I had some denials for ldconfig on Debian Sid. I took changes from > > Fedora policy package - a patch attached. I grabed only things needed > > to suppress denials below from Fedora. > > > > audit(1203580520.435:11): avc: denied { read } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > audit(1203580520.435:12): avc: denied { getattr } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > audit(1203580520.907:13): avc: denied { write } for pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > > audit(1203580520.907:14): avc: denied { add_name } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > > audit(1203580520.907:15): avc: denied { create } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > This is the right fix, and basically the same fix is queued up for > merging as part of Dan's patch set. When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped with run_init), then the ldconfig called from a postinst and/or a postrm scripts of shared libs brings following denials: Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc: denied { read write } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc: denied { use } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc: denied { write } for pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file The attached patch (wich replaces my previos patch) suppresses these messages. Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like Fedora or Ubuntu solves this. (This could be added to.) Regards -- Zito [-- Attachment #2: libraries.ldconfig.2.patch --] [-- Type: text/x-diff, Size: 1621 bytes --] Index: policy/modules/system/libraries.fc =================================================================== --- policy/modules/system/libraries.fc (revision 2626) +++ policy/modules/system/libraries.fc (working copy) @@ -304,3 +304,5 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) Index: policy/modules/system/libraries.te =================================================================== --- policy/modules/system/libraries.te (revision 2626) +++ policy/modules/system/libraries.te (working copy) @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; +type ldconfig_cache_t; +files_type(ldconfig_cache_t) + type ldconfig_tmp_t; files_tmp_file(ldconfig_tmp_t) @@ -46,7 +49,9 @@ allow ldconfig_t self:capability sys_chroot; -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t) + +manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t) files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -103,3 +108,10 @@ # blow up. rpm_manage_script_tmp_files(ldconfig_t) ') + +optional_policy(` + # ldconfig run from postinstall, postrm scripts on Debian... + apt_rw_pipes(ldconfig_t) + apt_use_fds(ldconfig_t) + term_use_generic_ptys(ldconfig_t) +') ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-02-29 7:21 ` refpolicy: patch for ldconfig from glibc 2.7, new patch Václav Ovsík @ 2008-02-29 13:46 ` Christopher J. PeBenito 2008-02-29 15:29 ` [DSE-Dev] " Martin Orr 2008-03-04 15:19 ` refpolicy: patch for ldconfig from glibc 2.7, " Václav Ovsík 0 siblings, 2 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-29 13:46 UTC (permalink / raw) To: Václav Ovsík; +Cc: selinux, selinux-devel On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote: > Hi, > this is a completion of previos patch... [...] > When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped > with run_init), then the ldconfig called from a postinst and/or a postrm > scripts of shared libs brings following denials: > > Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc: denied { read write } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc: denied { use } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd > Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc: denied { write } for pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file > > The attached patch (wich replaces my previos patch) suppresses these messages. > Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like > Fedora or Ubuntu solves this. (This could be added to.) The apt rules are fine, but there shouldn't be any more generic pty usage anymore. Are you using an older policy that doesn't have strict and targeted merged (and unconfined_r)? > @@ -103,3 +108,10 @@ > # blow up. > rpm_manage_script_tmp_files(ldconfig_t) > ') > + > +optional_policy(` > + # ldconfig run from postinstall, postrm scripts on Debian... > + apt_rw_pipes(ldconfig_t) > + apt_use_fds(ldconfig_t) > + term_use_generic_ptys(ldconfig_t) > +') > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-02-29 13:46 ` Christopher J. PeBenito @ 2008-02-29 15:29 ` Martin Orr 2008-02-29 16:32 ` Christopher J. PeBenito 2008-03-04 15:19 ` refpolicy: patch for ldconfig from glibc 2.7, " Václav Ovsík 1 sibling, 1 reply; 15+ messages in thread From: Martin Orr @ 2008-02-29 15:29 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: Václav Ovsík, selinux, selinux-devel [-- Attachment #1: Type: text/plain, Size: 1849 bytes --] On 29/02/08 13:46, Christopher J. PeBenito wrote: > On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote: >> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped >> with run_init), then the ldconfig called from a postinst and/or a postrm >> scripts of shared libs brings following denials: >> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc: denied { read write } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc: denied { use } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc: denied { write } for pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file >> >> The attached patch (wich replaces my previos patch) suppresses these messages. >> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like >> Fedora or Ubuntu solves this. (This could be added to.) > > The apt rules are fine, but there shouldn't be any more generic pty > usage anymore. Are you using an older policy that doesn't have strict > and targeted merged (and unconfined_r)? It's because apt creates a pty of its own to run dpkg on, so it can log the output. (This is fairly recent - it has been in apt trunk since October.) The attached patch is what I am using to deal with this. (I'm not sure if it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) but dontaudit is what the Debian policy package uses.) Best wishes, -- Martin Orr [-- Attachment #2: 101_apt_dpkg_log --] [-- Type: text/plain, Size: 4116 bytes --] Written by: Martin Orr with bits from: srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-12 srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-13 Combines 501_apt_create_pty with bits from 365_apt_fixes Cope with apt creating a new pty to run dpkg Index: policy/modules/admin/apt.fc =================================================================== --- policy/modules/admin/apt.fc.orig 2008-02-29 14:55:59.000000000 +0000 +++ policy/modules/admin/apt.fc 2008-02-29 14:56:46.000000000 +0000 @@ -11,3 +11,6 @@ # package list repository /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +# dpkg terminal log +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) Index: policy/modules/admin/apt.if =================================================================== --- policy/modules/admin/apt.if.orig 2008-02-29 14:55:59.000000000 +0000 +++ policy/modules/admin/apt.if 2008-02-29 14:56:46.000000000 +0000 @@ -92,6 +92,25 @@ ######################################## ## <summary> +## Do not audit attempts to use file descriptors from apt. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process attempting performing this action +## which should not be audited. +## </summary> +## </param> +# +interface(`apt_dontaudit_use_fds',` + gen_require(` + type apt_t; + ') + + dontaudit $1 apt_t:fd use; +') + +######################################## +## <summary> ## Read and write an unnamed apt pipe. ## </summary> ## <param name="domain"> @@ -111,6 +130,24 @@ ######################################## ## <summary> +## Read from and write to apt ptys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_ptys',` + gen_require(` + type apt_devpts_t; + ') + + allow $1 apt_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> ## Read the apt package database. ## </summary> ## <param name="domain"> Index: policy/modules/admin/apt.te =================================================================== --- policy/modules/admin/apt.te.orig 2008-02-29 14:55:59.000000000 +0000 +++ policy/modules/admin/apt.te 2008-02-29 14:57:02.000000000 +0000 @@ -1,5 +1,5 @@ -policy_module(apt,1.3.0) +policy_module(apt,1.3.1) ######################################## # @@ -26,6 +26,13 @@ type apt_var_cache_t alias var_cache_apt_t; files_type(apt_var_cache_t) +type apt_var_log_t alias var_log_apt_t; +logging_log_file(apt_var_log_t) + +# pseudo terminal for running dpkg +type apt_devpts_t; +term_pty(apt_devpts_t) + ######################################## # # apt Local policy @@ -97,6 +104,7 @@ fs_getattr_all_fs(apt_t) +term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) term_use_all_terms(apt_t) Index: policy/modules/admin/dpkg.te =================================================================== --- policy/modules/admin/dpkg.te.orig 2008-02-29 14:55:59.000000000 +0000 +++ policy/modules/admin/dpkg.te 2008-02-29 14:56:46.000000000 +0000 @@ -172,6 +172,10 @@ # since the scripts aren't labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file execute; +optional_policy(` + apt_use_ptys(dpkg_t) +') + # TODO: allow? #optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) Index: policy/modules/system/libraries.te =================================================================== --- policy/modules/system/libraries.te.orig 2008-02-29 14:55:59.000000000 +0000 +++ policy/modules/system/libraries.te 2008-02-29 14:56:46.000000000 +0000 @@ -98,6 +98,11 @@ ') optional_policy(` + apt_dontaudit_use_fds(ldconfig_t) + apt_use_ptys(ldconfig_t) +') + +optional_policy(` # When you install a kernel the postinstall builds a initrd image in tmp # and executes ldconfig on it. If you dont allow this kernel installs # blow up. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-02-29 15:29 ` [DSE-Dev] " Martin Orr @ 2008-02-29 16:32 ` Christopher J. PeBenito 2008-03-01 14:54 ` Martin Orr 0 siblings, 1 reply; 15+ messages in thread From: Christopher J. PeBenito @ 2008-02-29 16:32 UTC (permalink / raw) To: Martin Orr; +Cc: Václav Ovsík, selinux, selinux-devel On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote: > On 29/02/08 13:46, Christopher J. PeBenito wrote: > > On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote: > >> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped > >> with run_init), then the ldconfig called from a postinst and/or a postrm > >> scripts of shared libs brings following denials: > >> > >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc: denied { read write } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc: denied { use } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd > >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc: denied { write } for pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file > >> > >> The attached patch (wich replaces my previos patch) suppresses these messages. > >> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like > >> Fedora or Ubuntu solves this. (This could be added to.) > > > > The apt rules are fine, but there shouldn't be any more generic pty > > usage anymore. Are you using an older policy that doesn't have strict > > and targeted merged (and unconfined_r)? > > It's because apt creates a pty of its own to run dpkg on, so it can log the > output. (This is fairly recent - it has been in apt trunk since October.) Makes sense. > The attached patch is what I am using to deal with this. (I'm not sure if > it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) > but dontaudit is what the Debian policy package uses.) You probably want to allow it otherwise ldconfig won't inherit the fds that point to the apt pty. By denying the inheritance on an enforcing system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose any ldconfig output. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-02-29 16:32 ` Christopher J. PeBenito @ 2008-03-01 14:54 ` Martin Orr 2008-03-04 19:39 ` [DSE-Dev] refpolicy: patch for ldconfig from glibc2.7, " Christopher J. PeBenito 0 siblings, 1 reply; 15+ messages in thread From: Martin Orr @ 2008-03-01 14:54 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: selinux, selinux-devel [-- Attachment #1: Type: text/plain, Size: 730 bytes --] On 29/02/08 16:32, Christopher J. PeBenito wrote: > On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote: >> The attached patch is what I am using to deal with this. (I'm not sure if >> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) >> but dontaudit is what the Debian policy package uses.) > > You probably want to allow it otherwise ldconfig won't inherit the fds > that point to the apt pty. By denying the inheritance on an enforcing > system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose > any ldconfig output. Here's an updated patch, with apt_use_fds(ldconfig_t). This also lets dpkg_t and dpkg_script_t use initrc ptys, so that se_dpkg works. Best wishes, -- Martin Orr [-- Attachment #2: 101_apt_dpkg_ptys --] [-- Type: text/plain, Size: 3993 bytes --] Written by: Martin Orr with bits from: srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-12 srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-13 Combines 501_apt_create_pty 365_apt_fixes Cope with apt creating a new pty to run dpkg Also let dpkg use initrc ptys for se_dpkg Index: policy/modules/admin/apt.fc =================================================================== --- policy/modules/admin/apt.fc.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/apt.fc 2008-03-01 13:38:16.000000000 +0000 @@ -11,3 +11,6 @@ # package list repository /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +# dpkg terminal log +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) Index: policy/modules/admin/apt.if =================================================================== --- policy/modules/admin/apt.if.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/apt.if 2008-03-01 13:38:16.000000000 +0000 @@ -111,6 +111,24 @@ ######################################## ## <summary> +## Read from and write to apt ptys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_ptys',` + gen_require(` + type apt_devpts_t; + ') + + allow $1 apt_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> ## Read the apt package database. ## </summary> ## <param name="domain"> Index: policy/modules/admin/apt.te =================================================================== --- policy/modules/admin/apt.te.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/apt.te 2008-03-01 14:53:50.000000000 +0000 @@ -1,5 +1,5 @@ -policy_module(apt,1.3.0) +policy_module(apt,1.3.1) ######################################## # @@ -26,6 +26,13 @@ type apt_var_cache_t alias var_cache_apt_t; files_type(apt_var_cache_t) +type apt_var_log_t alias var_log_apt_t; +logging_log_file(apt_var_log_t) + +# pseudo terminal for running dpkg +type apt_devpts_t; +term_pty(apt_devpts_t) + ######################################## # # apt Local policy @@ -97,6 +104,7 @@ fs_getattr_all_fs(apt_t) +term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) term_use_all_terms(apt_t) Index: policy/modules/admin/dpkg.te =================================================================== --- policy/modules/admin/dpkg.te.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/dpkg.te 2008-03-01 14:53:48.000000000 +0000 @@ -150,6 +150,7 @@ files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) +init_use_script_ptys(dpkg_t) libs_use_ld_so(dpkg_t) libs_use_shared_libs(dpkg_t) @@ -172,6 +173,10 @@ # since the scripts aren't labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file execute; +optional_policy(` + apt_use_ptys(dpkg_t) +') + # TODO: allow? #optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) @@ -290,6 +295,7 @@ auth_manage_all_files_except_shadow(dpkg_script_t) init_domtrans_script(dpkg_script_t) +init_use_script_fds(dpkg_script_t) libs_use_ld_so(dpkg_script_t) libs_use_shared_libs(dpkg_script_t) @@ -314,6 +320,11 @@ ') optional_policy(` + apt_rw_pipes(dpkg_script_t) + apt_use_fds(dpkg_script_t) +') + +optional_policy(` bootloader_domtrans(dpkg_script_t) ') Index: policy/modules/system/libraries.te =================================================================== --- policy/modules/system/libraries.te.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/system/libraries.te 2008-03-01 14:48:40.000000000 +0000 @@ -98,6 +98,12 @@ ') optional_policy(` + apt_rw_pipes(ldconfig_t) + apt_use_fds(ldconfig_t) + apt_use_ptys(ldconfig_t) +') + +optional_policy(` # When you install a kernel the postinstall builds a initrd image in tmp # and executes ldconfig on it. If you dont allow this kernel installs # blow up. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc2.7, new patch 2008-03-01 14:54 ` Martin Orr @ 2008-03-04 19:39 ` Christopher J. PeBenito 0 siblings, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-03-04 19:39 UTC (permalink / raw) To: Martin Orr; +Cc: selinux, selinux-devel On Sat, 2008-03-01 at 14:54 +0000, Martin Orr wrote: > On 29/02/08 16:32, Christopher J. PeBenito wrote: > > On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote: > >> The attached patch is what I am using to deal with this. (I'm not sure if > >> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) > >> but dontaudit is what the Debian policy package uses.) > > > > You probably want to allow it otherwise ldconfig won't inherit the fds > > that point to the apt pty. By denying the inheritance on an enforcing > > system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose > > any ldconfig output. > > Here's an updated patch, with apt_use_fds(ldconfig_t). This also lets > dpkg_t and dpkg_script_t use initrc ptys, so that se_dpkg works. Merged. > @@ -1,5 +1,5 @@ > > -policy_module(apt,1.3.0) > +policy_module(apt,1.3.1) > In the future please don't submit patches with module version changes. It may change between the time you make the patch, and the time I apply it, which may cause patches not to apply. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-02-29 13:46 ` Christopher J. PeBenito 2008-02-29 15:29 ` [DSE-Dev] " Martin Orr @ 2008-03-04 15:19 ` Václav Ovsík 2008-03-04 15:37 ` [DSE-Dev] " Václav Ovsík 1 sibling, 1 reply; 15+ messages in thread From: Václav Ovsík @ 2008-03-04 15:19 UTC (permalink / raw) To: Christopher J. PeBenito, Martin Orr; +Cc: selinux, selinux-devel On Fri, Feb 29, 2008 at 08:46:01AM -0500, Christopher J. PeBenito wrote: >... > The apt rules are fine, but there shouldn't be any more generic pty > usage anymore. Are you using an older policy that doesn't have strict > and targeted merged (and unconfined_r)? Policy is HEAD. I did a bad work. When I got the denial, I simply grep policy files for macro that best fits :(. I assume, that context for pty was interited from parent directory (devpts_t). Martin did fine analyse. I tried to install small shlib, insert `ls -laZ /dev/pts' into its postrm script and remove it: sid:~# se_apt-get remove libcdb1 Authenticating root. Password: Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: libcdb1 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 36.9kB disk space will be freed. (Reading database ... 68022 files and directories currently installed.) Removing libcdb1 ... total 0 drwxr-xr-x+ 2 root root system_u:object_r:devpts_t:s0 0 Feb 29 16:17 . drwxr-xr-x+ 11 root root system_u:object_r:device_t:s0 2440 Feb 29 16:17 .. crw-------+ 1 zito tty staff_u:object_r:sysadm_devpts_t:s0 136, 0 Feb 29 16:26 0 crw--w----+ 1 root tty system_u:object_r:initrc_devpts_t:s0 136, 1 Feb 29 16:26 1 crw--w----+ 1 root tty system_u:object_r:devpts_t:s0 136, 2 Feb 29 16:26 2 sid:~# and denial (I commented out `term_use_generic_ptys(ldconfig_t)': audit(1204298770.142:5): avc: denied { read write } for pid=1762 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file On Fri, Feb 29, 2008 at 03:29:02PM +0000, Martin Orr wrote: >... > It's because apt creates a pty of its own to run dpkg on, so it can log the > output. (This is fairly recent - it has been in apt trunk since October.) > > The attached patch is what I am using to deal with this. (I'm not sure if > it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) > but dontaudit is what the Debian policy package uses.) >... Fine, I took your changes. Thanks. On Fri, Feb 29, 2008 at 11:32:29AM -0500, Christopher J. PeBenito wrote: >... > > The attached patch is what I am using to deal with this. (I'm not sure if > > it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) > > but dontaudit is what the Debian policy package uses.) > > You probably want to allow it otherwise ldconfig won't inherit the fds > that point to the apt pty. By denying the inheritance on an enforcing > system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose > any ldconfig output. Ok. I did a similar experiment with the patch from Martin but without `apt_dontaudit_use_fds(ldconfig_t)'. I added option -v to ldconfig, so it could create some output and `ls -laZ /dev/pts'. In permissive mode: total 0 drwxr-xr-x+ 2 root root system_u:object_r:devpts_t:s0 0 Mar 4 15:29 . drwxr-xr-x+ 11 root root system_u:object_r:device_t:s0 2440 Mar 4 15:31 .. crw-------+ 1 zito tty staff_u:object_r:sysadm_devpts_t:s0 136, 0 Mar 4 15:41 0 crw--w----+ 1 root tty system_u:object_r:initrc_devpts_t:s0 136, 1 Mar 4 15:41 1 crw--w----+ 1 root tty system_u:object_r:apt_devpts_t:s0 136, 2 Mar 4 15:41 2 ldconfig: Can't stat /lib64: No such file or directory /lib/i486-linux-gnu: /usr/lib/i486-linux-gnu: /usr/local/lib: /lib: libsemanage.so.1 -> libsemanage.so.1 libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2 libwrap.so.0 -> libwrap.so.0.7.6 libusb-0.1.so.4 -> libusb-0.1.so.4.4.4 libreadline.so.5 -> libreadline.so.5.2 ... and denial: sid login: audit(1204641693.561:8): avc: denied { use } for pid=1983 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd I restart machine in enforced mode and did the same, but no output from ldconfig was visible and denials like the above appeared. Listing of directory /dev/pts was disallowed too (some dontaudit rules probably). Then I added `apt_use_fds(ldconfig_t)', rebuild the policy and try in permissive mode: sid:~# se_apt-get install libcdb1 Authenticating root. Password: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libcdb1 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/11.9kB of archives. After this operation, 36.9kB of additional disk space will be used. Selecting previously deselected package libcdb1. (Reading database ... 68018 files and directories currently installed.) Unpacking libcdb1 (from .../archives/libcdb1_0.76_i386.deb) ... Setting up libcdb1 (0.76) ... sid:~# vim /var/lib/dpkg/info/libcdb1.postrm sid:~# cat /var/lib/dpkg/info/libcdb1.postrm #!/bin/sh set -e # Automatically added by dh_makeshlibs if [ "$1" = "remove" ]; then ldconfig -v fi # End automatically added section sid:~# load_policy sid:~# se_apt-get remove libcdb1 Authenticating root. Password: Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: libcdb1 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 36.9kB disk space will be freed. (Reading database ... 68022 files and directories currently installed.) Removing libcdb1 ... ldconfig: Can't stat /lib64: No such file or directory /lib/i486-linux-gnu: /usr/lib/i486-linux-gnu: /usr/local/lib: /lib: libsemanage.so.1 -> libsemanage.so.1 libnss_mdns6_minimal.so.2 -> libnss_mdns6_minimal.so.2 libwrap.so.0 -> libwrap.so.0.7.6 libusb-0.1.so.4 -> libusb-0.1.so.4.4.4 ... no denials I think, that Martin Orr patch is usable fine, but using of apt file descriptors by ldconfig should be allowed. Martin please review this. I'm going to learn GNU Arch as penalty for my hasty patch last time. :) Just kiding, knowing GNU Arch will be worth! Best Regards -- Zito -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch 2008-03-04 15:19 ` refpolicy: patch for ldconfig from glibc 2.7, " Václav Ovsík @ 2008-03-04 15:37 ` Václav Ovsík 0 siblings, 0 replies; 15+ messages in thread From: Václav Ovsík @ 2008-03-04 15:37 UTC (permalink / raw) To: Christopher J. PeBenito, Martin Orr; +Cc: selinux, selinux-devel Sorry for my futile mail. Must remake procmail rules. I found Martin mail from March 1st right now in different mailbox. -- Zito -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7 2008-02-22 15:27 refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík 2008-02-22 18:05 ` Christopher J. PeBenito @ 2008-08-12 15:30 ` Václav Ovsík 2008-08-12 19:38 ` Christopher J. PeBenito 1 sibling, 1 reply; 15+ messages in thread From: Václav Ovsík @ 2008-08-12 15:30 UTC (permalink / raw) To: selinux [-- Attachment #1: Type: text/plain, Size: 1693 bytes --] Hi, there is a message with a patch http://marc.info/?l=selinux&m=120369420620609&w=2 in February 2008. On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote: > On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote: > > Hi, > > I had some denials for ldconfig on Debian Sid. I took changes from > > Fedora policy package - a patch attached. I grabed only things needed > > to suppress denials below from Fedora. > > > > audit(1203580520.435:11): avc: denied { read } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > audit(1203580520.435:12): avc: denied { getattr } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > audit(1203580520.907:13): avc: denied { write } for pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > > audit(1203580520.907:14): avc: denied { add_name } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > > audit(1203580520.907:15): avc: denied { create } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > This is the right fix, and basically the same fix is queued up for > merging as part of Dan's patch set. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 Can be this patch merged as-is? (Attached again.) -- Zito [-- Attachment #2: libraries.ldconfig.patch --] [-- Type: text/x-diff, Size: 1364 bytes --] Index: policy/modules/system/libraries.fc =================================================================== --- policy/modules/system/libraries.fc (revision 2624) +++ policy/modules/system/libraries.fc (working copy) @@ -304,3 +304,5 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + +/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) Index: policy/modules/system/libraries.te =================================================================== --- policy/modules/system/libraries.te (revision 2624) +++ policy/modules/system/libraries.te (working copy) @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; +type ldconfig_cache_t; +files_type(ldconfig_cache_t) + type ldconfig_tmp_t; files_tmp_file(ldconfig_tmp_t) @@ -46,7 +49,9 @@ allow ldconfig_t self:capability sys_chroot; -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t) + +manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t) files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: refpolicy: patch for ldconfig from glibc 2.7 2008-08-12 15:30 ` refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík @ 2008-08-12 19:38 ` Christopher J. PeBenito 0 siblings, 0 replies; 15+ messages in thread From: Christopher J. PeBenito @ 2008-08-12 19:38 UTC (permalink / raw) To: Václav Ovsík; +Cc: selinux On Tue, 2008-08-12 at 17:30 +0200, Václav Ovsík wrote: > Hi, > there is a message with a patch > http://marc.info/?l=selinux&m=120369420620609&w=2 > in February 2008. Merged. > On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote: > > On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote: > > > Hi, > > > I had some denials for ldconfig on Debian Sid. I took changes from > > > Fedora policy package - a patch attached. I grabed only things needed > > > to suppress denials below from Fedora. > > > > > > audit(1203580520.435:11): avc: denied { read } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > > audit(1203580520.435:12): avc: denied { getattr } for pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > > audit(1203580520.907:13): avc: denied { write } for pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > > > audit(1203580520.907:14): avc: denied { add_name } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir > > > audit(1203580520.907:15): avc: denied { create } for pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file > > > > This is the right fix, and basically the same fix is queued up for > > merging as part of Dan's patch set. > > Can be this patch merged as-is? > (Attached again.) -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-08-12 19:39 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-02-22 15:27 refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík 2008-02-22 18:05 ` Christopher J. PeBenito 2008-02-25 12:41 ` Václav Ovsík 2008-02-25 13:40 ` Christopher J. PeBenito 2008-02-25 14:38 ` Daniel J Walsh 2008-02-29 7:21 ` refpolicy: patch for ldconfig from glibc 2.7, new patch Václav Ovsík 2008-02-29 13:46 ` Christopher J. PeBenito 2008-02-29 15:29 ` [DSE-Dev] " Martin Orr 2008-02-29 16:32 ` Christopher J. PeBenito 2008-03-01 14:54 ` Martin Orr 2008-03-04 19:39 ` [DSE-Dev] refpolicy: patch for ldconfig from glibc2.7, " Christopher J. PeBenito 2008-03-04 15:19 ` refpolicy: patch for ldconfig from glibc 2.7, " Václav Ovsík 2008-03-04 15:37 ` [DSE-Dev] " Václav Ovsík 2008-08-12 15:30 ` refpolicy: patch for ldconfig from glibc 2.7 Václav Ovsík 2008-08-12 19:38 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.