Re: [DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

[Martin Orr <martin@martinorr.name>]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On 29/02/08 16:32, Christopher J. PeBenito wrote:
> On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote:
>> The attached patch is what I am using to deal with this.  (I'm not sure if
>> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
>> but dontaudit is what the Debian policy package uses.)
> 
> You probably want to allow it otherwise ldconfig won't inherit the fds
> that point to the apt pty.  By denying the inheritance on an enforcing
> system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose
> any ldconfig output.

Here's an updated patch, with apt_use_fds(ldconfig_t).  This also lets
dpkg_t and dpkg_script_t use initrc ptys, so that se_dpkg works.

Best wishes,

-- 
Martin Orr

[-- Attachment #2: 101_apt_dpkg_ptys --]
[-- Type: text/plain, Size: 3993 bytes --]

Written by: Martin Orr
with bits from:
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-12
srivasta@debian.org--lenny/refpolicy--debian--0.0--patch-13

Combines 501_apt_create_pty 365_apt_fixes

Cope with apt creating a new pty to run dpkg
Also let dpkg use initrc ptys for se_dpkg

Index: policy/modules/admin/apt.fc
===================================================================
--- policy/modules/admin/apt.fc.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/apt.fc	2008-03-01 13:38:16.000000000 +0000
@@ -11,3 +11,6 @@
 # package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
Index: policy/modules/admin/apt.if
===================================================================
--- policy/modules/admin/apt.if.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/apt.if	2008-03-01 13:38:16.000000000 +0000
@@ -111,6 +111,24 @@
 
 ########################################
 ## <summary>
+##	Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read the apt package database.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/apt.te	2008-03-01 14:53:50.000000000 +0000
@@ -1,5 +1,5 @@
 
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
 
 ########################################
 #
@@ -26,6 +26,13 @@
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
 ########################################
 #
 # apt Local policy
@@ -97,6 +104,7 @@
 
 fs_getattr_all_fs(apt_t)
 
+term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
 
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/admin/dpkg.te	2008-03-01 14:53:48.000000000 +0000
@@ -150,6 +150,7 @@
 files_exec_etc_files(dpkg_t)
 
 init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
 
 libs_use_ld_so(dpkg_t)
 libs_use_shared_libs(dpkg_t)
@@ -172,6 +173,10 @@
 # since the scripts aren't labeled correctly yet...
 allow dpkg_t dpkg_var_lib_t:file execute;
 
+optional_policy(`
+	apt_use_ptys(dpkg_t)
+')
+
 # TODO: allow?
 #optional_policy(`
 #	cron_system_entry(dpkg_t,dpkg_exec_t)
@@ -290,6 +295,7 @@
 auth_manage_all_files_except_shadow(dpkg_script_t)
 
 init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
 
 libs_use_ld_so(dpkg_script_t)
 libs_use_shared_libs(dpkg_script_t)
@@ -314,6 +320,11 @@
 ')
 
 optional_policy(`
+	apt_rw_pipes(dpkg_script_t)
+	apt_use_fds(dpkg_script_t)
+')
+
+optional_policy(`
 	bootloader_domtrans(dpkg_script_t)
 ')
 
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig	2008-03-01 13:38:13.000000000 +0000
+++ policy/modules/system/libraries.te	2008-03-01 14:48:40.000000000 +0000
@@ -98,6 +98,12 @@
 ')
 
 optional_policy(`
+	apt_rw_pipes(ldconfig_t)
+	apt_use_fds(ldconfig_t)
+	apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it.  If you dont allow this kernel installs 
 	# blow up.