From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version
Date: Mon, 28 Feb 2011 09:43:21 -0500 [thread overview]
Message-ID: <4D6BB489.3080402@tresys.com> (raw)
In-Reply-To: <4D6285B1.6010207@redhat.com>
On 02/21/11 10:33, Daniel J Walsh wrote:
> On 02/21/2011 10:08 AM, Guido Trentalancia wrote:
>> Good afternoon Miroslav !
>
>> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote:
>>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
>>>> Hello Miroslav !
>>>>
>>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
>>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>>>>>
>>>>> * dmesg reads /proc/version
>>>>> * dmesg needs to access to abrt files
>>>> I couldn't find any reference in the source code for dmesg from
>>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
>>>> reads /proc/version".
>>>>
>>>> Nor I have any indication from the audit logs on the test system I am
>>>> running that dmesg ever required that permission.
>>>>
>>>> Only mount needs to stat() /proc/version.
>>>>
>>>> So, where did you get that from ?
>>> There was a bug saying
>>>
>>> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405
>>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016
>>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
>>> tclass=file
>
>> That's not a bug. It's an AVC denial. In other words, SELinux is
>> preventing some sort of operation.
>
>> It still sounds very odd to me.
>
>> In any case, I got curious about this issue and I went looking at
>> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am
>> quite sure that such operation is not in the source code for dmesg.
>
>> Look by yourself, the code is so short ! It's only about calls to
>> klogctl().
>
>> Hope it helps. But let's quit this topic now, because I believe it is
>> off-theme for this list.
>
> There is a possiblity that the app/domain that executed dmesg, leaked an
> open file descriptor for read to dmesg, and that is being checked on exec.
There is also the possibility that its a glibc thing.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-02-28 14:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-18 16:00 [refpolicy] [patch 1/1] dmesg: reads /proc/version Miroslav Grepl
2011-02-19 5:07 ` Guido Trentalancia
2011-02-21 15:14 ` Miroslav Grepl
2011-02-21 15:08 ` Guido Trentalancia
2011-02-21 15:33 ` Daniel J Walsh
2011-02-28 14:43 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D6BB489.3080402@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.