[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 1/25/2011 1:26 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>> Hi Dominick,
>>>
>>> just a quick question on one of your comments...
>>>
>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>
>>>>>   auth_dontaudit_read_shadow(readahead_t)
>>>>>
>>>>> +init_read_fifo_file(readahead_t)
>>>>>   init_use_fds(readahead_t)
>>>>>   init_use_script_ptys(readahead_t)
>>>>>   init_getattr_initctl(readahead_t)
>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>
>>>>>   ########################################
>>>>>   ##<summary>
>>>>> +##      Read init fifo file.
>>>>> +##</summary>
>>>>> +##<param name="domain">
>>>>> +##<summary>
>>>>> +##      Domain allowed access.
>>>>> +##</summary>
>>>>> +##</param>
>>>>> +#
>>>>> +interface(`init_read_fifo_file',`
>>>>> +		gen_require(`
>>>>> +		attribute init_t;
>>>>> +	')
>>>>> +
>>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>>> +')
>>>>
>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>> r_fifo_file_perms;
>>>
>>> Why should we avoid the use of the pattern here ? It gives better
>>> readability and also it grants permission to search the parent dir.
>>
>> I guess you may indeed be right here. I assume that this pipe is
>> somewhere in /proc in an init_t directory? If that is so then the caller
>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>> and in that case the pattern makes good sense.
>>
>> looking at similar examples thought, like
>>
>>> interface(`init_rw_script_pipes',`
>>> 	gen_require(`
>>> 		type initrc_t;
>>> 	')
>>>
>>> 	allow $1 initrc_t:fifo_file { read write };
>>> ')
>>
>> And
>>
>>> interface(`init_write_script_pipes',`
>>> 	gen_require(`
>>> 		type initrc_t;
>>> 	')
>>>
>>> 	allow $1 initrc_t:fifo_file write;
>>> ')
>>
>> It appears that searching domain_type directories is not applicable here.
>>
>> Can you reproduce this (and in particular the caller searching init_t
>> directories?)
>
> Yes, of course I am quite sure it can be reproduced by just starting up
> readahead. Here is the log:
>
> type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

The read_fifo_file_perms is appropriate instead of the pattern because 
this is an unnamed pipe (note the pipe=).  There is no dir to search.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com