[refpolicy] Let dpkg scripts ptrace

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] Let dpkg scripts ptrace
@ 2008-06-25 16:31 Martin Orr
  2008-07-18 13:54 ` Christopher J. PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Martin Orr @ 2008-06-25 16:31 UTC (permalink / raw)
  To: SELinux List, Christopher J. PeBenito

[-- Attachment #1: Type: text/plain, Size: 331 bytes --]

Some dpkg maintainer scripts run pidof, which needs the sys_ptrace capability.

Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc:  denied  {
sys_ptrace } for  pid=4214 comm="pidof" capability=19
scontext=system_u:system_r:dpkg_script_t:s0
tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability

-- 
Martin Orr

[-- Attachment #2: 118_dpkg_script_pidof --]
[-- Type: text/plain, Size: 1035 bytes --]

Written by: Martin Orr

Allow dpkg scripts to run pidof

Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc:  denied  { sys_ptrace } for  pid=4214 comm="pidof" capability=19 scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -216,7 +216,7 @@
 #
 # TODO: actually use dpkg_script_t
 
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill sys_ptrace };
 allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [refpolicy] Let dpkg scripts ptrace
  2008-06-25 16:31 [refpolicy] Let dpkg scripts ptrace Martin Orr
@ 2008-07-18 13:54 ` Christopher J. PeBenito
  2008-08-07 14:48   ` Martin Orr
  0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2008-07-18 13:54 UTC (permalink / raw)
  To: Martin Orr; +Cc: SELinux List

On Wed, 2008-06-25 at 17:31 +0100, Martin Orr wrote:
> Some dpkg maintainer scripts run pidof, which needs the sys_ptrace capability.
> 
> Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc:  denied  {
> sys_ptrace } for  pid=4214 comm="pidof" capability=19
> scontext=system_u:system_r:dpkg_script_t:s0
> tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability

Seems odd, since the ptrace process permission is not allowed.  Does it
work without this in enforcing?

> plain text document attachment (118_dpkg_script_pidof)
> Written by: Martin Orr
> 
> Allow dpkg scripts to run pidof
> 
> Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc:  denied  { sys_ptrace } for  pid=4214 comm="pidof" capability=19 scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability
> 
> Index: policy/modules/admin/dpkg.te
> ===================================================================
> --- policy/modules/admin/dpkg.te.orig
> +++ policy/modules/admin/dpkg.te
> @@ -216,7 +216,7 @@
>  #
>  # TODO: actually use dpkg_script_t
>  
> -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
> +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill sys_ptrace };
>  allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>  allow dpkg_script_t self:fd use;
>  allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [refpolicy] Let dpkg scripts ptrace
  2008-07-18 13:54 ` Christopher J. PeBenito
@ 2008-08-07 14:48   ` Martin Orr
  0 siblings, 0 replies; 3+ messages in thread
From: Martin Orr @ 2008-08-07 14:48 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SELinux List

On 18/07/08 14:54, Christopher J. PeBenito wrote:
> On Wed, 2008-06-25 at 17:31 +0100, Martin Orr wrote:
>> Some dpkg maintainer scripts run pidof, which needs the sys_ptrace capability.
>>
>> Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc:  denied  {
>> sys_ptrace } for  pid=4214 comm="pidof" capability=19
>> scontext=system_u:system_r:dpkg_script_t:s0
>> tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability
> 
> Seems odd, since the ptrace process permission is not allowed.  Does it
> work without this in enforcing?

It comes from trying to stat /proc/*/exe - proc_pid_readlink always checks
ptrace access.  It would indeed be strange if pidof really wanted to ptrace
anything.

Best wishes,

-- 
Martin Orr

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2008-08-07 14:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-25 16:31 [refpolicy] Let dpkg scripts ptrace Martin Orr
2008-07-18 13:54 ` Christopher J. PeBenito
2008-08-07 14:48   ` Martin Orr

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.