[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy
Date: Tue, 25 Jan 2011 19:46:53 +0100	[thread overview]
Message-ID: <4D3F1A9D.1060707@gmail.com> (raw)
In-Reply-To: <1295980781.11770.4.camel@tesla.lan>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2011 07:39 PM, Guido Trentalancia wrote:
> Hello Dominick !
> 
> On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
>>> Hello Dominick !
>>>
>>> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>>>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>>>> Hi Dominick,
>>>>>
>>>>> just a quick question on one of your comments...
>>>>>
>>>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>>>  
>>>>>>>  auth_dontaudit_read_shadow(readahead_t)
>>>>>>>  
>>>>>>> +init_read_fifo_file(readahead_t)
>>>>>>>  init_use_fds(readahead_t)
>>>>>>>  init_use_script_ptys(readahead_t)
>>>>>>>  init_getattr_initctl(readahead_t)
>>>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>>>  
>>>>>>>  ########################################
>>>>>>>  ## <summary>
>>>>>>> +##      Read init fifo file.
>>>>>>> +## </summary>
>>>>>>> +## <param name="domain">
>>>>>>> +##      <summary>
>>>>>>> +##      Domain allowed access.
>>>>>>> +##      </summary>
>>>>>>> +## </param>
>>>>>>> +#
>>>>>>> +interface(`init_read_fifo_file',`
>>>>>>> +		gen_require(`
>>>>>>> +		attribute init_t;
>>>>>>> +	')
>>>>>>> +
>>>>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>>>>> +')
>>>>>>
>>>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>>>> r_fifo_file_perms;
>>>>>
>>>>> Why should we avoid the use of the pattern here ? It gives better
>>>>> readability and also it grants permission to search the parent dir.
>>>>
>>>> I guess you may indeed be right here. I assume that this pipe is
>>>> somewhere in /proc in an init_t directory? If that is so then the caller
>>>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>>>> and in that case the pattern makes good sense.
> 
>>>> It appears that searching domain_type directories is not applicable here.
>>>>
>>>> Can you reproduce this (and in particular the caller searching init_t
>>>> directories?)
>>>
>>> Yes, of course I am quite sure it can be reproduced by just starting up
>>> readahead. Here is the log:
>>>
>>> type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
>>> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>> type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
>>> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>
>> Yes but it does not need to search any init_t type directories from what
>> i can see in your avc denial above.
>>
>> That is why i suggest you use:
>>
>> allow $1 init_t:fifo_file r_fifo_file_perms;
>>
>> instead.
> 
> It was just to keep the interface more generic and eventually re-usable.
> But I have now changed the interface to:

I understand, and allowing a domain to search a directory isnt a big
deal. Yet i learned from experience. I mean there is a "pattern" in
refpolicy, and i almost never see the read_fifo_file_pattern for domain
types used so that is the reason for my suggestion. A nitpick but i had
to mention it anyway. Trying to keep things uniform.

> 
> allow $1 init_t:fifo_file read_fifo_file_perms;
> 
> so it's a bit more optimised and tight.
> 
> Regards,
> 
> Guido
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0/Gp0ACgkQMlxVo39jgT816QCeOVveRof++hSSxAE0D9io4rKT
KWAAnjYOfbm/nj+8t1xn9/CzN1JgRsHk
=O37L
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2011-01-25 18:46 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-01-24  0:43 [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy Guido Trentalancia
2011-01-24 14:21 ` Dominick Grift
2011-01-24 15:12   ` Guido Trentalancia
2011-01-24 15:15     ` Dominick Grift
2011-01-31 19:09       ` Christopher J. PeBenito
2011-01-25 18:04   ` Guido Trentalancia
2011-01-25 18:14     ` Dominick Grift
2011-01-25 18:26       ` Guido Trentalancia
2011-01-25 18:30         ` Dominick Grift
2011-01-25 18:39           ` Guido Trentalancia
2011-01-25 18:46             ` Dominick Grift [this message]
2011-01-25 19:20               ` Guido Trentalancia
2011-01-31 19:03         ` Christopher J. PeBenito
2011-01-31 23:00           ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D3F1A9D.1060707@gmail.com \
    --to=domg472@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.