From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy
Date: Tue, 25 Jan 2011 19:30:42 +0100 [thread overview]
Message-ID: <4D3F16D2.9070705@gmail.com> (raw)
In-Reply-To: <1295979981.3051.10.camel@tesla.lan>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>> Hi Dominick,
>>>
>>> just a quick question on one of your comments...
>>>
>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>
>>>>> auth_dontaudit_read_shadow(readahead_t)
>>>>>
>>>>> +init_read_fifo_file(readahead_t)
>>>>> init_use_fds(readahead_t)
>>>>> init_use_script_ptys(readahead_t)
>>>>> init_getattr_initctl(readahead_t)
>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>
>>>>> ########################################
>>>>> ## <summary>
>>>>> +## Read init fifo file.
>>>>> +## </summary>
>>>>> +## <param name="domain">
>>>>> +## <summary>
>>>>> +## Domain allowed access.
>>>>> +## </summary>
>>>>> +## </param>
>>>>> +#
>>>>> +interface(`init_read_fifo_file',`
>>>>> + gen_require(`
>>>>> + attribute init_t;
>>>>> + ')
>>>>> +
>>>>> + read_fifo_files_pattern($1, init_t, init_t)
>>>>> +')
>>>>
>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>> r_fifo_file_perms;
>>>
>>> Why should we avoid the use of the pattern here ? It gives better
>>> readability and also it grants permission to search the parent dir.
>>
>> I guess you may indeed be right here. I assume that this pipe is
>> somewhere in /proc in an init_t directory? If that is so then the caller
>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>> and in that case the pattern makes good sense.
>>
>> looking at similar examples thought, like
>>
>>> interface(`init_rw_script_pipes',`
>>> gen_require(`
>>> type initrc_t;
>>> ')
>>>
>>> allow $1 initrc_t:fifo_file { read write };
>>> ')
>>
>> And
>>
>>> interface(`init_write_script_pipes',`
>>> gen_require(`
>>> type initrc_t;
>>> ')
>>>
>>> allow $1 initrc_t:fifo_file write;
>>> ')
>>
>> It appears that searching domain_type directories is not applicable here.
>>
>> Can you reproduce this (and in particular the caller searching init_t
>> directories?)
>
> Yes, of course I am quite sure it can be reproduced by just starting up
> readahead. Here is the log:
>
> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
Yes but it does not need to search any init_t type directories from what
i can see in your avc denial above.
That is why i suggest you use:
allow $1 init_t:fifo_file r_fifo_file_perms;
instead.
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0/FtIACgkQMlxVo39jgT+afwCfRAz/0CBOTPYTIS40CAQAW8pZ
vUcAn1tadnK+wgIXcLyF/72NHlJ2TWgW
=Y49m
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2011-01-25 18:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-24 0:43 [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy Guido Trentalancia
2011-01-24 14:21 ` Dominick Grift
2011-01-24 15:12 ` Guido Trentalancia
2011-01-24 15:15 ` Dominick Grift
2011-01-31 19:09 ` Christopher J. PeBenito
2011-01-25 18:04 ` Guido Trentalancia
2011-01-25 18:14 ` Dominick Grift
2011-01-25 18:26 ` Guido Trentalancia
2011-01-25 18:30 ` Dominick Grift [this message]
2011-01-25 18:39 ` Guido Trentalancia
2011-01-25 18:46 ` Dominick Grift
2011-01-25 19:20 ` Guido Trentalancia
2011-01-31 19:03 ` Christopher J. PeBenito
2011-01-31 23:00 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D3F16D2.9070705@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.