* [refpolicy] [patch 1/1] dmesg: reads /proc/version
@ 2011-02-18 16:00 Miroslav Grepl
2011-02-19 5:07 ` Guido Trentalancia
0 siblings, 1 reply; 6+ messages in thread
From: Miroslav Grepl @ 2011-02-18 16:00 UTC (permalink / raw)
To: refpolicy
http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
* dmesg reads /proc/version
* dmesg needs to access to abrt files
^ permalink raw reply [flat|nested] 6+ messages in thread* [refpolicy] [patch 1/1] dmesg: reads /proc/version 2011-02-18 16:00 [refpolicy] [patch 1/1] dmesg: reads /proc/version Miroslav Grepl @ 2011-02-19 5:07 ` Guido Trentalancia 2011-02-21 15:14 ` Miroslav Grepl 0 siblings, 1 reply; 6+ messages in thread From: Guido Trentalancia @ 2011-02-19 5:07 UTC (permalink / raw) To: refpolicy Hello Miroslav ! On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: > http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch > > * dmesg reads /proc/version > * dmesg needs to access to abrt files I couldn't find any reference in the source code for dmesg from util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg reads /proc/version". Nor I have any indication from the audit logs on the test system I am running that dmesg ever required that permission. Only mount needs to stat() /proc/version. So, where did you get that from ? And I am not using abrt, but to be honest, I could not find any reference to abrt files access either. Regards, Guido ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [patch 1/1] dmesg: reads /proc/version 2011-02-19 5:07 ` Guido Trentalancia @ 2011-02-21 15:14 ` Miroslav Grepl 2011-02-21 15:08 ` Guido Trentalancia 0 siblings, 1 reply; 6+ messages in thread From: Miroslav Grepl @ 2011-02-21 15:14 UTC (permalink / raw) To: refpolicy On 02/19/2011 05:07 AM, Guido Trentalancia wrote: > Hello Miroslav ! > > On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: >> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch >> >> * dmesg reads /proc/version >> * dmesg needs to access to abrt files > I couldn't find any reference in the source code for dmesg from > util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg > reads /proc/version". > > Nor I have any indication from the audit logs on the test system I am > running that dmesg ever required that permission. > > Only mount needs to stat() /proc/version. > > So, where did you get that from ? There was a bug saying type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405 comm="dmesg" path="/proc/version" dev=proc ino=4026532016 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > And I am not using abrt, but to be honest, I could not find any > reference to abrt files access either. > > Regards, > > Guido > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [patch 1/1] dmesg: reads /proc/version 2011-02-21 15:14 ` Miroslav Grepl @ 2011-02-21 15:08 ` Guido Trentalancia 2011-02-21 15:33 ` Daniel J Walsh 0 siblings, 1 reply; 6+ messages in thread From: Guido Trentalancia @ 2011-02-21 15:08 UTC (permalink / raw) To: refpolicy Good afternoon Miroslav ! On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote: > On 02/19/2011 05:07 AM, Guido Trentalancia wrote: > > Hello Miroslav ! > > > > On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: > >> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch > >> > >> * dmesg reads /proc/version > >> * dmesg needs to access to abrt files > > I couldn't find any reference in the source code for dmesg from > > util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg > > reads /proc/version". > > > > Nor I have any indication from the audit logs on the test system I am > > running that dmesg ever required that permission. > > > > Only mount needs to stat() /proc/version. > > > > So, where did you get that from ? > There was a bug saying > > type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405 > comm="dmesg" path="/proc/version" dev=proc ino=4026532016 > scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0 > tclass=file That's not a bug. It's an AVC denial. In other words, SELinux is preventing some sort of operation. It still sounds very odd to me. In any case, I got curious about this issue and I went looking at Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am quite sure that such operation is not in the source code for dmesg. Look by yourself, the code is so short ! It's only about calls to klogctl(). Hope it helps. But let's quit this topic now, because I believe it is off-theme for this list. Regards, Guido ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [patch 1/1] dmesg: reads /proc/version 2011-02-21 15:08 ` Guido Trentalancia @ 2011-02-21 15:33 ` Daniel J Walsh 2011-02-28 14:43 ` Christopher J. PeBenito 0 siblings, 1 reply; 6+ messages in thread From: Daniel J Walsh @ 2011-02-21 15:33 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2011 10:08 AM, Guido Trentalancia wrote: > Good afternoon Miroslav ! > > On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote: >> On 02/19/2011 05:07 AM, Guido Trentalancia wrote: >>> Hello Miroslav ! >>> >>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: >>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch >>>> >>>> * dmesg reads /proc/version >>>> * dmesg needs to access to abrt files >>> I couldn't find any reference in the source code for dmesg from >>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg >>> reads /proc/version". >>> >>> Nor I have any indication from the audit logs on the test system I am >>> running that dmesg ever required that permission. >>> >>> Only mount needs to stat() /proc/version. >>> >>> So, where did you get that from ? >> There was a bug saying >> >> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405 >> comm="dmesg" path="/proc/version" dev=proc ino=4026532016 >> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0 >> tclass=file > > That's not a bug. It's an AVC denial. In other words, SELinux is > preventing some sort of operation. > > It still sounds very odd to me. > > In any case, I got curious about this issue and I went looking at > Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am > quite sure that such operation is not in the source code for dmesg. > > Look by yourself, the code is so short ! It's only about calls to > klogctl(). > > Hope it helps. But let's quit this topic now, because I believe it is > off-theme for this list. > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy There is a possiblity that the app/domain that executed dmesg, leaked an open file descriptor for read to dmesg, and that is being checked on exec. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ihbEACgkQrlYvE4MpobOEGgCgxoT+dRkO85ax4lb59k/u5/4I 9G8AoIW0OZRT/sesrsbYtHExJNkUWvoP =7ufE -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [patch 1/1] dmesg: reads /proc/version 2011-02-21 15:33 ` Daniel J Walsh @ 2011-02-28 14:43 ` Christopher J. PeBenito 0 siblings, 0 replies; 6+ messages in thread From: Christopher J. PeBenito @ 2011-02-28 14:43 UTC (permalink / raw) To: refpolicy On 02/21/11 10:33, Daniel J Walsh wrote: > On 02/21/2011 10:08 AM, Guido Trentalancia wrote: >> Good afternoon Miroslav ! > >> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote: >>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote: >>>> Hello Miroslav ! >>>> >>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: >>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch >>>>> >>>>> * dmesg reads /proc/version >>>>> * dmesg needs to access to abrt files >>>> I couldn't find any reference in the source code for dmesg from >>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg >>>> reads /proc/version". >>>> >>>> Nor I have any indication from the audit logs on the test system I am >>>> running that dmesg ever required that permission. >>>> >>>> Only mount needs to stat() /proc/version. >>>> >>>> So, where did you get that from ? >>> There was a bug saying >>> >>> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405 >>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016 >>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0 >>> tclass=file > >> That's not a bug. It's an AVC denial. In other words, SELinux is >> preventing some sort of operation. > >> It still sounds very odd to me. > >> In any case, I got curious about this issue and I went looking at >> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am >> quite sure that such operation is not in the source code for dmesg. > >> Look by yourself, the code is so short ! It's only about calls to >> klogctl(). > >> Hope it helps. But let's quit this topic now, because I believe it is >> off-theme for this list. > > There is a possiblity that the app/domain that executed dmesg, leaked an > open file descriptor for read to dmesg, and that is being checked on exec. There is also the possibility that its a glibc thing. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-02-28 14:43 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-02-18 16:00 [refpolicy] [patch 1/1] dmesg: reads /proc/version Miroslav Grepl 2011-02-19 5:07 ` Guido Trentalancia 2011-02-21 15:14 ` Miroslav Grepl 2011-02-21 15:08 ` Guido Trentalancia 2011-02-21 15:33 ` Daniel J Walsh 2011-02-28 14:43 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.