[refpolicy] [PATCH 1/34]: patch to allow readahead read init

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files
@ 2011-02-16  6:00 Guido Trentalancia
  2011-02-22 15:53 ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-16  6:00 UTC (permalink / raw)
  To: refpolicy

This patch adds a new interface init_read_fifo_file() and
uses it so that readahead can read init_t fifo files.

diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
--- refpolicy-git-02022011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te	2011-01-26 01:40:07.208360132 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
 
 auth_dontaudit_read_shadow(readahead_t)
 
+init_read_fifo_file(readahead_t)
 init_use_fds(readahead_t)
 init_use_script_ptys(readahead_t)
 init_getattr_initctl(readahead_t)
diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
--- refpolicy-git-02022011/policy/modules/system/init.if	2011-02-06 23:07:41.774207748 +0100
+++ refpolicy-git-02022011-new/policy/modules/system/init.if	2011-01-26 01:40:07.026309900 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
 
 ########################################
 ## <summary>
+##      Read init fifo file.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+		gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Ptrace init
 ## </summary>
 ## <param name="domain">

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files
  2011-02-16  6:00 [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files Guido Trentalancia
@ 2011-02-22 15:53 ` Christopher J. PeBenito
  2011-02-22 16:04   ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-02-22 15:53 UTC (permalink / raw)
  To: refpolicy

On 02/16/11 01:00, Guido Trentalancia wrote:
> This patch adds a new interface init_read_fifo_file() and
> uses it so that readahead can read init_t fifo files.

This doesn't make sense to me.  Its not run out of init; it shouldn't be
inheriting unnamed pipes from init.  It also makes me question the
existing init_use_fds(readahead_t) rule in the policy.

> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
> --- refpolicy-git-02022011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te	2011-01-26 01:40:07.208360132 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>  
>  auth_dontaudit_read_shadow(readahead_t)
>  
> +init_read_fifo_file(readahead_t)
>  init_use_fds(readahead_t)
>  init_use_script_ptys(readahead_t)
>  init_getattr_initctl(readahead_t)
> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
> --- refpolicy-git-02022011/policy/modules/system/init.if	2011-02-06 23:07:41.774207748 +0100
> +++ refpolicy-git-02022011-new/policy/modules/system/init.if	2011-01-26 01:40:07.026309900 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>  
>  ########################################
>  ## <summary>
> +##      Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> +		gen_require(`
> +		type init_t;
> +	')
> +
> +	allow $1 init_t:fifo_file read_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Ptrace init
>  ## </summary>
>  ## <param name="domain">
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files
  2011-02-22 15:53 ` Christopher J. PeBenito
@ 2011-02-22 16:04   ` Daniel J Walsh
  2011-02-22 17:35     ` Guido Trentalancia
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2011-02-22 16:04 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
>> This patch adds a new interface init_read_fifo_file() and
>> uses it so that readahead can read init_t fifo files.
> 
> This doesn't make sense to me.  Its not run out of init; it shouldn't be
> inheriting unnamed pipes from init.  It also makes me question the
> existing init_use_fds(readahead_t) rule in the policy.
> 
It is run by systemd now in F15
 ls /lib/systemd/systemd-readahead-*
/lib/systemd/systemd-readahead-collect
/lib/systemd/systemd-readahead-replay


>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
>> --- refpolicy-git-02022011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>> +++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te	2011-01-26 01:40:07.208360132 +0100
>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>  
>>  auth_dontaudit_read_shadow(readahead_t)
>>  
>> +init_read_fifo_file(readahead_t)
>>  init_use_fds(readahead_t)
>>  init_use_script_ptys(readahead_t)
>>  init_getattr_initctl(readahead_t)
>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
>> --- refpolicy-git-02022011/policy/modules/system/init.if	2011-02-06 23:07:41.774207748 +0100
>> +++ refpolicy-git-02022011-new/policy/modules/system/init.if	2011-01-26 01:40:07.026309900 +0100
>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>  
>>  ########################################
>>  ## <summary>
>> +##      Read init fifo file.
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      Domain allowed access.
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`init_read_fifo_file',`
>> +		gen_require(`
>> +		type init_t;
>> +	')
>> +
>> +	allow $1 init_t:fifo_file read_fifo_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>>  ##	Ptrace init
>>  ## </summary>
>>  ## <param name="domain">
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1j3pwACgkQrlYvE4MpobN3mACeJ/jPVTbHtHEjMNXeyXrQVnMx
AZkAoIZxaKGGQuw5g+z7tIJkU2a8JfQw
=OmRJ
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files
  2011-02-22 16:04   ` Daniel J Walsh
@ 2011-02-22 17:35     ` Guido Trentalancia
  2011-02-22 19:56       ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Guido Trentalancia @ 2011-02-22 17:35 UTC (permalink / raw)
  To: refpolicy

On Tue, 22/02/2011 at 11.04 -0500, Daniel J Walsh wrote:
> On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
> > On 02/16/11 01:00, Guido Trentalancia wrote:
> >> This patch adds a new interface init_read_fifo_file() and
> >> uses it so that readahead can read init_t fifo files.
> > 
> > This doesn't make sense to me.  Its not run out of init; it shouldn't be
> > inheriting unnamed pipes from init.  It also makes me question the
> > existing init_use_fds(readahead_t) rule in the policy.
> > 
> It is run by systemd now in F15
>  ls /lib/systemd/systemd-readahead-*
> /lib/systemd/systemd-readahead-collect
> /lib/systemd/systemd-readahead-replay

For your information, I am not using systemd. And I am not using
readahead either. I did just install readahead (latest version) and test
it very quickly and there was something being denied:

type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

That's all I can add now.

Regards,

Guido

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files
  2011-02-22 17:35     ` Guido Trentalancia
@ 2011-02-22 19:56       ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2011-02-22 19:56 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/22/2011 12:35 PM, Guido Trentalancia wrote:
> On Tue, 22/02/2011 at 11.04 -0500, Daniel J Walsh wrote:
>> On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
>>> On 02/16/11 01:00, Guido Trentalancia wrote:
>>>> This patch adds a new interface init_read_fifo_file() and
>>>> uses it so that readahead can read init_t fifo files.
>>>
>>> This doesn't make sense to me.  Its not run out of init; it shouldn't be
>>> inheriting unnamed pipes from init.  It also makes me question the
>>> existing init_use_fds(readahead_t) rule in the policy.
>>>
>> It is run by systemd now in F15
>>  ls /lib/systemd/systemd-readahead-*
>> /lib/systemd/systemd-readahead-collect
>> /lib/systemd/systemd-readahead-replay
> 
> For your information, I am not using systemd. And I am not using
> readahead either. I did just install readahead (latest version) and test
> it very quickly and there was something being denied:
> 
> type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> 
> That's all I can add now.
> 
> Regards,
> 
> Guido
> 
Right this shows something we do not do a good job of handling in policy
now.  We do not handle the transitioning of open file descriptors down
two levels.  Let me explain.

We have domain "A_t" which opens up fifo_files to stdin, stdout, stderr,
and transitions to "B_t".  In the domtrans rules we allow B_t to use
A_t:fifo_file read/write.  But if B_t transitions to C_t, we do not pass
the fifo_file down,  we do not have a mechanism for saying allow C_t to
read/write all file descriptors that have been passed to B_t.  So what
you are probably seeing is init_t:fifo_file handed to initrc_t which
then hands them to readahead_t, and you end up with an AVC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1kFPwACgkQrlYvE4MpobO4CwCgviuEU6qyLjmEQvSTFmoJxx8+
5ssAniCS5FyhBfvaFT9/OmbYuSnS+iUQ
=m0/2
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-02-22 19:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-16  6:00 [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files Guido Trentalancia
2011-02-22 15:53 ` Christopher J. PeBenito
2011-02-22 16:04   ` Daniel J Walsh
2011-02-22 17:35     ` Guido Trentalancia
2011-02-22 19:56       ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.