* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy @ 2011-01-24 0:43 Guido Trentalancia 2011-01-24 14:21 ` Dominick Grift 0 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-01-24 0:43 UTC (permalink / raw) To: refpolicy diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) auth_dontaudit_read_shadow(readahead_t) +init_read_fifo_file(readahead_t) init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 @@ -947,6 +947,24 @@ interface(`init_read_state',` ######################################## ## <summary> +## Read init fifo file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_read_fifo_file',` + gen_require(` + attribute init_t; + ') + + read_fifo_files_pattern($1, init_t, init_t) +') + +######################################## +## <summary> ## Ptrace init ## </summary> ## <param name="domain"> ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-24 0:43 [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy Guido Trentalancia @ 2011-01-24 14:21 ` Dominick Grift 2011-01-24 15:12 ` Guido Trentalancia 2011-01-25 18:04 ` Guido Trentalancia 0 siblings, 2 replies; 14+ messages in thread From: Dominick Grift @ 2011-01-24 14:21 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > > auth_dontaudit_read_shadow(readahead_t) > > +init_read_fifo_file(readahead_t) > init_use_fds(readahead_t) > init_use_script_ptys(readahead_t) > init_getattr_initctl(readahead_t) > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > @@ -947,6 +947,24 @@ interface(`init_read_state',` > > ######################################## > ## <summary> > +## Read init fifo file. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`init_read_fifo_file',` > + gen_require(` > + attribute init_t; > + ') > + > + read_fifo_files_pattern($1, init_t, init_t) > +') no need to for pattern here use: allow $1 init_t:fifo_file r_fifo_file_perms; init_t is not an attribute (its a type) > + > +######################################## > +## <summary> > ## Ptrace init > ## </summary> > ## <param name="domain"> > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS LR4AnRlYgmCf/My41QotF2VIfAnehq8D =F4q9 -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-24 14:21 ` Dominick Grift @ 2011-01-24 15:12 ` Guido Trentalancia 2011-01-24 15:15 ` Dominick Grift 2011-01-25 18:04 ` Guido Trentalancia 1 sibling, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-01-24 15:12 UTC (permalink / raw) To: refpolicy On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: > On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > > --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > > > > auth_dontaudit_read_shadow(readahead_t) > > > > +init_read_fifo_file(readahead_t) > > init_use_fds(readahead_t) > > init_use_script_ptys(readahead_t) > > init_getattr_initctl(readahead_t) > > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > > --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > > +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > > @@ -947,6 +947,24 @@ interface(`init_read_state',` > > > > ######################################## > > ## <summary> > > +## Read init fifo file. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +# > > +interface(`init_read_fifo_file',` > > + gen_require(` > > + attribute init_t; > > + ') > > + > > + read_fifo_files_pattern($1, init_t, init_t) > > +') > > no need to for pattern here use: allow $1 init_t:fifo_file > r_fifo_file_perms; Ok will be changed. > init_t is not an attribute (its a type) Hmm. That's too true, good point. But elsewhere in the same interface file it's being declared the same way (see init_ptrace() and init_read_state()). I think I just copied off bits from there, that's why... What should be done to the rest of occurrences then ? > > + > > +######################################## > > +## <summary> > > ## Ptrace init > > ## </summary> > > ## <param name="domain"> > > > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS > LR4AnRlYgmCf/My41QotF2VIfAnehq8D > =F4q9 > -----END PGP SIGNATURE----- > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-24 15:12 ` Guido Trentalancia @ 2011-01-24 15:15 ` Dominick Grift 2011-01-31 19:09 ` Christopher J. PeBenito 0 siblings, 1 reply; 14+ messages in thread From: Dominick Grift @ 2011-01-24 15:15 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2011 04:12 PM, Guido Trentalancia wrote: > On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: >> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te >>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 >>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 >>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) >>> >>> auth_dontaudit_read_shadow(readahead_t) >>> >>> +init_read_fifo_file(readahead_t) >>> init_use_fds(readahead_t) >>> init_use_script_ptys(readahead_t) >>> init_getattr_initctl(readahead_t) >>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if >>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 >>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 >>> @@ -947,6 +947,24 @@ interface(`init_read_state',` >>> >>> ######################################## >>> ## <summary> >>> +## Read init fifo file. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain allowed access. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`init_read_fifo_file',` >>> + gen_require(` >>> + attribute init_t; >>> + ') >>> + >>> + read_fifo_files_pattern($1, init_t, init_t) >>> +') >> >> no need to for pattern here use: allow $1 init_t:fifo_file >> r_fifo_file_perms; > > Ok will be changed. > >> init_t is not an attribute (its a type) > > Hmm. That's too true, good point. But elsewhere in the same interface > file it's being declared the same way (see init_ptrace() and > init_read_state()). I think I just copied off bits from there, that's > why... What should be done to the rest of occurrences then ? That should be analysed and determined in each of the remaining occurrences. You may well have stumbled upon a bug. > >>> + >>> +######################################## >>> +## <summary> >>> ## Ptrace init >>> ## </summary> >>> ## <param name="domain"> >>> >>> >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.16 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS >> LR4AnRlYgmCf/My41QotF2VIfAnehq8D >> =F4q9 >> -----END PGP SIGNATURE----- >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk09l3cACgkQMlxVo39jgT8kkQCfUoWNoXKmT/lP/nJgb+fLwnk0 3JMAni6n1wBEpZOVq6g0hodqDou9oc9A =nNQN -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-24 15:15 ` Dominick Grift @ 2011-01-31 19:09 ` Christopher J. PeBenito 0 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2011-01-31 19:09 UTC (permalink / raw) To: refpolicy On 1/24/2011 10:15 AM, Dominick Grift wrote: > On 01/24/2011 04:12 PM, Guido Trentalancia wrote: >> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: >>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te >>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 >>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 >>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) >>>> >>>> auth_dontaudit_read_shadow(readahead_t) >>>> >>>> +init_read_fifo_file(readahead_t) >>>> init_use_fds(readahead_t) >>>> init_use_script_ptys(readahead_t) >>>> init_getattr_initctl(readahead_t) >>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if >>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 >>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 >>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` >>>> >>>> ######################################## >>>> ##<summary> >>>> +## Read init fifo file. >>>> +##</summary> >>>> +##<param name="domain"> >>>> +##<summary> >>>> +## Domain allowed access. >>>> +##</summary> >>>> +##</param> >>>> +# >>>> +interface(`init_read_fifo_file',` >>>> + gen_require(` >>>> + attribute init_t; >>>> + ') >>>> + >>>> + read_fifo_files_pattern($1, init_t, init_t) >>>> +') >>> >>> no need to for pattern here use: allow $1 init_t:fifo_file >>> r_fifo_file_perms; >> >> Ok will be changed. >> >>> init_t is not an attribute (its a type) >> >> Hmm. That's too true, good point. But elsewhere in the same interface >> file it's being declared the same way (see init_ptrace() and >> init_read_state()). I think I just copied off bits from there, that's >> why... What should be done to the rest of occurrences then ? > > That should be analysed and determined in each of the remaining occurrences. > > You may well have stumbled upon a bug. Yep, there are two interfaces with this bug. I have fixed them in git master. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-24 14:21 ` Dominick Grift 2011-01-24 15:12 ` Guido Trentalancia @ 2011-01-25 18:04 ` Guido Trentalancia 2011-01-25 18:14 ` Dominick Grift 1 sibling, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-01-25 18:04 UTC (permalink / raw) To: refpolicy Hi Dominick, just a quick question on one of your comments... On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: > On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > > --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > > > > auth_dontaudit_read_shadow(readahead_t) > > > > +init_read_fifo_file(readahead_t) > > init_use_fds(readahead_t) > > init_use_script_ptys(readahead_t) > > init_getattr_initctl(readahead_t) > > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > > --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > > +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > > @@ -947,6 +947,24 @@ interface(`init_read_state',` > > > > ######################################## > > ## <summary> > > +## Read init fifo file. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +# > > +interface(`init_read_fifo_file',` > > + gen_require(` > > + attribute init_t; > > + ') > > + > > + read_fifo_files_pattern($1, init_t, init_t) > > +') > > no need to for pattern here use: allow $1 init_t:fifo_file > r_fifo_file_perms; Why should we avoid the use of the pattern here ? It gives better readability and also it grants permission to search the parent dir. Regards, Guido ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:04 ` Guido Trentalancia @ 2011-01-25 18:14 ` Dominick Grift 2011-01-25 18:26 ` Guido Trentalancia 0 siblings, 1 reply; 14+ messages in thread From: Dominick Grift @ 2011-01-25 18:14 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 07:04 PM, Guido Trentalancia wrote: > Hi Dominick, > > just a quick question on one of your comments... > > On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: >> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te >>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 >>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 >>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) >>> >>> auth_dontaudit_read_shadow(readahead_t) >>> >>> +init_read_fifo_file(readahead_t) >>> init_use_fds(readahead_t) >>> init_use_script_ptys(readahead_t) >>> init_getattr_initctl(readahead_t) >>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if >>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 >>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 >>> @@ -947,6 +947,24 @@ interface(`init_read_state',` >>> >>> ######################################## >>> ## <summary> >>> +## Read init fifo file. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain allowed access. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`init_read_fifo_file',` >>> + gen_require(` >>> + attribute init_t; >>> + ') >>> + >>> + read_fifo_files_pattern($1, init_t, init_t) >>> +') >> >> no need to for pattern here use: allow $1 init_t:fifo_file >> r_fifo_file_perms; > > Why should we avoid the use of the pattern here ? It gives better > readability and also it grants permission to search the parent dir. I guess you may indeed be right here. I assume that this pipe is somewhere in /proc in an init_t directory? If that is so then the caller indeed needs to traverse an init_t directory to get to the pipe i guess, and in that case the pattern makes good sense. looking at similar examples thought, like > interface(`init_rw_script_pipes',` > gen_require(` > type initrc_t; > ') > > allow $1 initrc_t:fifo_file { read write }; > ') And > interface(`init_write_script_pipes',` > gen_require(` > type initrc_t; > ') > > allow $1 initrc_t:fifo_file write; > ') It appears that searching domain_type directories is not applicable here. Can you reproduce this (and in particular the caller searching init_t directories?) > > Regards, > > Guido > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0/ExcACgkQMlxVo39jgT+5NACdHO/ZysRYMxLjU0J1+8NcWT2u nDgAn0Q4PNYqudn97HQFxHh386VDiCeV =HaKz -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:14 ` Dominick Grift @ 2011-01-25 18:26 ` Guido Trentalancia 2011-01-25 18:30 ` Dominick Grift 2011-01-31 19:03 ` Christopher J. PeBenito 0 siblings, 2 replies; 14+ messages in thread From: Guido Trentalancia @ 2011-01-25 18:26 UTC (permalink / raw) To: refpolicy Hello Dominick ! On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: > On 01/25/2011 07:04 PM, Guido Trentalancia wrote: > > Hi Dominick, > > > > just a quick question on one of your comments... > > > > On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: > >> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > >>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > >>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > >>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > >>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > >>> > >>> auth_dontaudit_read_shadow(readahead_t) > >>> > >>> +init_read_fifo_file(readahead_t) > >>> init_use_fds(readahead_t) > >>> init_use_script_ptys(readahead_t) > >>> init_getattr_initctl(readahead_t) > >>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > >>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > >>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > >>> @@ -947,6 +947,24 @@ interface(`init_read_state',` > >>> > >>> ######################################## > >>> ## <summary> > >>> +## Read init fifo file. > >>> +## </summary> > >>> +## <param name="domain"> > >>> +## <summary> > >>> +## Domain allowed access. > >>> +## </summary> > >>> +## </param> > >>> +# > >>> +interface(`init_read_fifo_file',` > >>> + gen_require(` > >>> + attribute init_t; > >>> + ') > >>> + > >>> + read_fifo_files_pattern($1, init_t, init_t) > >>> +') > >> > >> no need to for pattern here use: allow $1 init_t:fifo_file > >> r_fifo_file_perms; > > > > Why should we avoid the use of the pattern here ? It gives better > > readability and also it grants permission to search the parent dir. > > I guess you may indeed be right here. I assume that this pipe is > somewhere in /proc in an init_t directory? If that is so then the caller > indeed needs to traverse an init_t directory to get to the pipe i guess, > and in that case the pattern makes good sense. > > looking at similar examples thought, like > > > interface(`init_rw_script_pipes',` > > gen_require(` > > type initrc_t; > > ') > > > > allow $1 initrc_t:fifo_file { read write }; > > ') > > And > > > interface(`init_write_script_pipes',` > > gen_require(` > > type initrc_t; > > ') > > > > allow $1 initrc_t:fifo_file write; > > ') > > It appears that searching domain_type directories is not applicable here. > > Can you reproduce this (and in particular the caller searching init_t > directories?) Yes, of course I am quite sure it can be reproduced by just starting up readahead. Here is the log: type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file Regards, Guido ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:26 ` Guido Trentalancia @ 2011-01-25 18:30 ` Dominick Grift 2011-01-25 18:39 ` Guido Trentalancia 2011-01-31 19:03 ` Christopher J. PeBenito 1 sibling, 1 reply; 14+ messages in thread From: Dominick Grift @ 2011-01-25 18:30 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 07:26 PM, Guido Trentalancia wrote: > Hello Dominick ! > > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote: >>> Hi Dominick, >>> >>> just a quick question on one of your comments... >>> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) >>>>> >>>>> auth_dontaudit_read_shadow(readahead_t) >>>>> >>>>> +init_read_fifo_file(readahead_t) >>>>> init_use_fds(readahead_t) >>>>> init_use_script_ptys(readahead_t) >>>>> init_getattr_initctl(readahead_t) >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` >>>>> >>>>> ######################################## >>>>> ## <summary> >>>>> +## Read init fifo file. >>>>> +## </summary> >>>>> +## <param name="domain"> >>>>> +## <summary> >>>>> +## Domain allowed access. >>>>> +## </summary> >>>>> +## </param> >>>>> +# >>>>> +interface(`init_read_fifo_file',` >>>>> + gen_require(` >>>>> + attribute init_t; >>>>> + ') >>>>> + >>>>> + read_fifo_files_pattern($1, init_t, init_t) >>>>> +') >>>> >>>> no need to for pattern here use: allow $1 init_t:fifo_file >>>> r_fifo_file_perms; >>> >>> Why should we avoid the use of the pattern here ? It gives better >>> readability and also it grants permission to search the parent dir. >> >> I guess you may indeed be right here. I assume that this pipe is >> somewhere in /proc in an init_t directory? If that is so then the caller >> indeed needs to traverse an init_t directory to get to the pipe i guess, >> and in that case the pattern makes good sense. >> >> looking at similar examples thought, like >> >>> interface(`init_rw_script_pipes',` >>> gen_require(` >>> type initrc_t; >>> ') >>> >>> allow $1 initrc_t:fifo_file { read write }; >>> ') >> >> And >> >>> interface(`init_write_script_pipes',` >>> gen_require(` >>> type initrc_t; >>> ') >>> >>> allow $1 initrc_t:fifo_file write; >>> ') >> >> It appears that searching domain_type directories is not applicable here. >> >> Can you reproduce this (and in particular the caller searching init_t >> directories?) > > Yes, of course I am quite sure it can be reproduced by just starting up > readahead. Here is the log: > > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 > scontext=system_u:system_r:readahead_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 > scontext=system_u:system_r:readahead_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file Yes but it does not need to search any init_t type directories from what i can see in your avc denial above. That is why i suggest you use: allow $1 init_t:fifo_file r_fifo_file_perms; instead. > Regards, > > Guido > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0/FtIACgkQMlxVo39jgT+afwCfRAz/0CBOTPYTIS40CAQAW8pZ vUcAn1tadnK+wgIXcLyF/72NHlJ2TWgW =Y49m -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:30 ` Dominick Grift @ 2011-01-25 18:39 ` Guido Trentalancia 2011-01-25 18:46 ` Dominick Grift 0 siblings, 1 reply; 14+ messages in thread From: Guido Trentalancia @ 2011-01-25 18:39 UTC (permalink / raw) To: refpolicy Hello Dominick ! On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote: > On 01/25/2011 07:26 PM, Guido Trentalancia wrote: > > Hello Dominick ! > > > > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: > >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote: > >>> Hi Dominick, > >>> > >>> just a quick question on one of your comments... > >>> > >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: > >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > >>>>> > >>>>> auth_dontaudit_read_shadow(readahead_t) > >>>>> > >>>>> +init_read_fifo_file(readahead_t) > >>>>> init_use_fds(readahead_t) > >>>>> init_use_script_ptys(readahead_t) > >>>>> init_getattr_initctl(readahead_t) > >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` > >>>>> > >>>>> ######################################## > >>>>> ## <summary> > >>>>> +## Read init fifo file. > >>>>> +## </summary> > >>>>> +## <param name="domain"> > >>>>> +## <summary> > >>>>> +## Domain allowed access. > >>>>> +## </summary> > >>>>> +## </param> > >>>>> +# > >>>>> +interface(`init_read_fifo_file',` > >>>>> + gen_require(` > >>>>> + attribute init_t; > >>>>> + ') > >>>>> + > >>>>> + read_fifo_files_pattern($1, init_t, init_t) > >>>>> +') > >>>> > >>>> no need to for pattern here use: allow $1 init_t:fifo_file > >>>> r_fifo_file_perms; > >>> > >>> Why should we avoid the use of the pattern here ? It gives better > >>> readability and also it grants permission to search the parent dir. > >> > >> I guess you may indeed be right here. I assume that this pipe is > >> somewhere in /proc in an init_t directory? If that is so then the caller > >> indeed needs to traverse an init_t directory to get to the pipe i guess, > >> and in that case the pattern makes good sense. > >> It appears that searching domain_type directories is not applicable here. > >> > >> Can you reproduce this (and in particular the caller searching init_t > >> directories?) > > > > Yes, of course I am quite sure it can be reproduced by just starting up > > readahead. Here is the log: > > > > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for > > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 > > scontext=system_u:system_r:readahead_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 > > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 > > scontext=system_u:system_r:readahead_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > Yes but it does not need to search any init_t type directories from what > i can see in your avc denial above. > > That is why i suggest you use: > > allow $1 init_t:fifo_file r_fifo_file_perms; > > instead. It was just to keep the interface more generic and eventually re-usable. But I have now changed the interface to: allow $1 init_t:fifo_file read_fifo_file_perms; so it's a bit more optimised and tight. Regards, Guido ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:39 ` Guido Trentalancia @ 2011-01-25 18:46 ` Dominick Grift 2011-01-25 19:20 ` Guido Trentalancia 0 siblings, 1 reply; 14+ messages in thread From: Dominick Grift @ 2011-01-25 18:46 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 07:39 PM, Guido Trentalancia wrote: > Hello Dominick ! > > On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote: >> On 01/25/2011 07:26 PM, Guido Trentalancia wrote: >>> Hello Dominick ! >>> >>> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: >>>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote: >>>>> Hi Dominick, >>>>> >>>>> just a quick question on one of your comments... >>>>> >>>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: >>>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te >>>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 >>>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 >>>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) >>>>>>> >>>>>>> auth_dontaudit_read_shadow(readahead_t) >>>>>>> >>>>>>> +init_read_fifo_file(readahead_t) >>>>>>> init_use_fds(readahead_t) >>>>>>> init_use_script_ptys(readahead_t) >>>>>>> init_getattr_initctl(readahead_t) >>>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if >>>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 >>>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 >>>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` >>>>>>> >>>>>>> ######################################## >>>>>>> ## <summary> >>>>>>> +## Read init fifo file. >>>>>>> +## </summary> >>>>>>> +## <param name="domain"> >>>>>>> +## <summary> >>>>>>> +## Domain allowed access. >>>>>>> +## </summary> >>>>>>> +## </param> >>>>>>> +# >>>>>>> +interface(`init_read_fifo_file',` >>>>>>> + gen_require(` >>>>>>> + attribute init_t; >>>>>>> + ') >>>>>>> + >>>>>>> + read_fifo_files_pattern($1, init_t, init_t) >>>>>>> +') >>>>>> >>>>>> no need to for pattern here use: allow $1 init_t:fifo_file >>>>>> r_fifo_file_perms; >>>>> >>>>> Why should we avoid the use of the pattern here ? It gives better >>>>> readability and also it grants permission to search the parent dir. >>>> >>>> I guess you may indeed be right here. I assume that this pipe is >>>> somewhere in /proc in an init_t directory? If that is so then the caller >>>> indeed needs to traverse an init_t directory to get to the pipe i guess, >>>> and in that case the pattern makes good sense. > >>>> It appears that searching domain_type directories is not applicable here. >>>> >>>> Can you reproduce this (and in particular the caller searching init_t >>>> directories?) >>> >>> Yes, of course I am quite sure it can be reproduced by just starting up >>> readahead. Here is the log: >>> >>> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for >>> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 >>> scontext=system_u:system_r:readahead_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file >>> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 >>> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 >>> scontext=system_u:system_r:readahead_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file >> >> Yes but it does not need to search any init_t type directories from what >> i can see in your avc denial above. >> >> That is why i suggest you use: >> >> allow $1 init_t:fifo_file r_fifo_file_perms; >> >> instead. > > It was just to keep the interface more generic and eventually re-usable. > But I have now changed the interface to: I understand, and allowing a domain to search a directory isnt a big deal. Yet i learned from experience. I mean there is a "pattern" in refpolicy, and i almost never see the read_fifo_file_pattern for domain types used so that is the reason for my suggestion. A nitpick but i had to mention it anyway. Trying to keep things uniform. > > allow $1 init_t:fifo_file read_fifo_file_perms; > > so it's a bit more optimised and tight. > > Regards, > > Guido > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0/Gp0ACgkQMlxVo39jgT816QCeOVveRof++hSSxAE0D9io4rKT KWAAnjYOfbm/nj+8t1xn9/CzN1JgRsHk =O37L -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:46 ` Dominick Grift @ 2011-01-25 19:20 ` Guido Trentalancia 0 siblings, 0 replies; 14+ messages in thread From: Guido Trentalancia @ 2011-01-25 19:20 UTC (permalink / raw) To: refpolicy On Tue, 25/01/2011 at 19.46 +0100, Dominick Grift wrote: > On 01/25/2011 07:39 PM, Guido Trentalancia wrote: > > Hello Dominick ! > > > > It was just to keep the interface more generic and eventually re-usable. > > But I have now changed the interface to: > > I understand, and allowing a domain to search a directory isnt a big > deal. Yet i learned from experience. I mean there is a "pattern" in > refpolicy, and i almost never see the read_fifo_file_pattern for domain > types used so that is the reason for my suggestion. A nitpick but i had > to mention it anyway. Trying to keep things uniform. Yes, one of my first aims is to stay definitely uniform unless there is really a good reason to do things differently because of a possible improvement which brings some good advantages. Splitting up dbus:send_msg permissions (to be uni-directional from each module) was one thing that I thought it could improve the actual situation for a good reason. But nobody else commented on that, so that thing is still pending... You didn't manage to convince me yet of your different opinion, but we'll see ;-) > > allow $1 init_t:fifo_file read_fifo_file_perms; > > > > so it's a bit more optimised and tight. Regards, Guido ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-25 18:26 ` Guido Trentalancia 2011-01-25 18:30 ` Dominick Grift @ 2011-01-31 19:03 ` Christopher J. PeBenito 2011-01-31 23:00 ` Guido Trentalancia 1 sibling, 1 reply; 14+ messages in thread From: Christopher J. PeBenito @ 2011-01-31 19:03 UTC (permalink / raw) To: refpolicy On 1/25/2011 1:26 PM, Guido Trentalancia wrote: > Hello Dominick ! > > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote: >>> Hi Dominick, >>> >>> just a quick question on one of your comments... >>> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) >>>>> >>>>> auth_dontaudit_read_shadow(readahead_t) >>>>> >>>>> +init_read_fifo_file(readahead_t) >>>>> init_use_fds(readahead_t) >>>>> init_use_script_ptys(readahead_t) >>>>> init_getattr_initctl(readahead_t) >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` >>>>> >>>>> ######################################## >>>>> ##<summary> >>>>> +## Read init fifo file. >>>>> +##</summary> >>>>> +##<param name="domain"> >>>>> +##<summary> >>>>> +## Domain allowed access. >>>>> +##</summary> >>>>> +##</param> >>>>> +# >>>>> +interface(`init_read_fifo_file',` >>>>> + gen_require(` >>>>> + attribute init_t; >>>>> + ') >>>>> + >>>>> + read_fifo_files_pattern($1, init_t, init_t) >>>>> +') >>>> >>>> no need to for pattern here use: allow $1 init_t:fifo_file >>>> r_fifo_file_perms; >>> >>> Why should we avoid the use of the pattern here ? It gives better >>> readability and also it grants permission to search the parent dir. >> >> I guess you may indeed be right here. I assume that this pipe is >> somewhere in /proc in an init_t directory? If that is so then the caller >> indeed needs to traverse an init_t directory to get to the pipe i guess, >> and in that case the pattern makes good sense. >> >> looking at similar examples thought, like >> >>> interface(`init_rw_script_pipes',` >>> gen_require(` >>> type initrc_t; >>> ') >>> >>> allow $1 initrc_t:fifo_file { read write }; >>> ') >> >> And >> >>> interface(`init_write_script_pipes',` >>> gen_require(` >>> type initrc_t; >>> ') >>> >>> allow $1 initrc_t:fifo_file write; >>> ') >> >> It appears that searching domain_type directories is not applicable here. >> >> Can you reproduce this (and in particular the caller searching init_t >> directories?) > > Yes, of course I am quite sure it can be reproduced by just starting up > readahead. Here is the log: > > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 > scontext=system_u:system_r:readahead_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 > scontext=system_u:system_r:readahead_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file The read_fifo_file_perms is appropriate instead of the pattern because this is an unnamed pipe (note the pipe=). There is no dir to search. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy 2011-01-31 19:03 ` Christopher J. PeBenito @ 2011-01-31 23:00 ` Guido Trentalancia 0 siblings, 0 replies; 14+ messages in thread From: Guido Trentalancia @ 2011-01-31 23:00 UTC (permalink / raw) To: refpolicy Hello Christopher ! On Mon, 31/01/2011 at 14.03 -0500, Christopher J. PeBenito wrote: > On 1/25/2011 1:26 PM, Guido Trentalancia wrote: > > Hello Dominick ! > > > > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: > >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote: > >>> Hi Dominick, > >>> > >>> just a quick question on one of your comments... > >>> > >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: > >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > >>>>> > >>>>> auth_dontaudit_read_shadow(readahead_t) > >>>>> > >>>>> +init_read_fifo_file(readahead_t) > >>>>> init_use_fds(readahead_t) > >>>>> init_use_script_ptys(readahead_t) > >>>>> init_getattr_initctl(readahead_t) > >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` > >>>>> > >>>>> ######################################## > >>>>> ##<summary> > >>>>> +## Read init fifo file. > >>>>> +##</summary> > >>>>> +##<param name="domain"> > >>>>> +##<summary> > >>>>> +## Domain allowed access. > >>>>> +##</summary> > >>>>> +##</param> > >>>>> +# > >>>>> +interface(`init_read_fifo_file',` > >>>>> + gen_require(` > >>>>> + attribute init_t; > >>>>> + ') > >>>>> + > >>>>> + read_fifo_files_pattern($1, init_t, init_t) > >>>>> +') > >>>> > >>>> no need to for pattern here use: allow $1 init_t:fifo_file > >>>> r_fifo_file_perms; > >>> > >>> Why should we avoid the use of the pattern here ? It gives better > >>> readability and also it grants permission to search the parent dir. > >> > >> I guess you may indeed be right here. I assume that this pipe is > >> somewhere in /proc in an init_t directory? If that is so then the caller > >> indeed needs to traverse an init_t directory to get to the pipe i guess, > >> and in that case the pattern makes good sense. > >> > >> looking at similar examples thought, like > >> > >>> interface(`init_rw_script_pipes',` > >>> gen_require(` > >>> type initrc_t; > >>> ') > >>> > >>> allow $1 initrc_t:fifo_file { read write }; > >>> ') > >> > >> And > >> > >>> interface(`init_write_script_pipes',` > >>> gen_require(` > >>> type initrc_t; > >>> ') > >>> > >>> allow $1 initrc_t:fifo_file write; > >>> ') > >> > >> It appears that searching domain_type directories is not applicable here. > >> > >> Can you reproduce this (and in particular the caller searching init_t > >> directories?) > > > > Yes, of course I am quite sure it can be reproduced by just starting up > > readahead. Here is the log: > > > > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for > > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 > > scontext=system_u:system_r:readahead_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 > > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 > > scontext=system_u:system_r:readahead_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > The read_fifo_file_perms is appropriate instead of the pattern because > this is an unnamed pipe (note the pipe=). There is no dir to search. Thanks for confirming. Do you also confirm the attribute versus type issue regarding init_t (at lines 940 and 961 of the existing policy/modules/system/init.if and in the new interface that I had created) ? Dominick spotted that out and now I also believe that is a typo. If the latter is confirmed, my worry is how comes nothing in the build process (or any subsequent step) failed ? Regards, Guido ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2011-01-31 23:00 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-01-24 0:43 [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy Guido Trentalancia 2011-01-24 14:21 ` Dominick Grift 2011-01-24 15:12 ` Guido Trentalancia 2011-01-24 15:15 ` Dominick Grift 2011-01-31 19:09 ` Christopher J. PeBenito 2011-01-25 18:04 ` Guido Trentalancia 2011-01-25 18:14 ` Dominick Grift 2011-01-25 18:26 ` Guido Trentalancia 2011-01-25 18:30 ` Dominick Grift 2011-01-25 18:39 ` Guido Trentalancia 2011-01-25 18:46 ` Dominick Grift 2011-01-25 19:20 ` Guido Trentalancia 2011-01-31 19:03 ` Christopher J. PeBenito 2011-01-31 23:00 ` Guido Trentalancia
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.