All of lore.kernel.org
 help / color / mirror / Atom feed
From: mgrepl@redhat.com (Miroslav Grepl)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v1 5/5] Udev's tables (run data) is stored in directories
Date: Tue, 04 Sep 2012 12:18:58 +0200	[thread overview]
Message-ID: <5045D592.7050701@redhat.com> (raw)
In-Reply-To: <1346615503.15262.23.camel@d30.localdomain>

On 09/02/2012 09:51 PM, Dominick Grift wrote:
>
> On Sun, 2012-09-02 at 14:06 +0200, Guido Trentalancia wrote:
>> On Wed, 2012-08-29 at 22:31 +0200, Dominick Grift wrote:
>>> On Wed, 2012-08-29 at 22:20 +0200, Dominick Grift wrote:
>>>> On Wed, 2012-08-29 at 22:04 +0200, Dominick Grift wrote:
>>>>> On Wed, 2012-08-29 at 21:55 +0200, Sven Vermeulen wrote:
>>>>>> On Wed, Aug 29, 2012 at 09:37:55PM +0200, Dominick Grift wrote:
>>>>>>>> -# create udev database in /dev/.udevdb
>>>>>>>> -allow udev_t udev_tbl_t:file manage_file_perms;
>>>>>>>> +allow udev_t udev_tbl_t:dir relabelto;
>>>>>>>> +manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
>>>>>>>> +manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
>>>>>>>> +manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
>>>>>>>> +
>>>>>>>>   dev_filetrans(udev_t, udev_tbl_t, file)
>>>>>>> This doesnt make sense to me.
>> [cut]
>>
>>>>>> Well, the udev code (looking at udev-182 here) has the code for relabeling
>>>>>> in it. For instance, when copy_dev_dir is called, it has
>>>>>>
>>>>>> #v+
>>>>>>                          udev_selinux_setfscreateconat(udev, dirfd(dir_to), dent->d_name, S_IFDIR|0755);
>>>>>>                          mkdirat(dirfd(dir_to), dent->d_name, 0755);
>>>>>>                          udev_selinux_resetfscreatecon(udev);
>>>>>> #v-
>>>>>>
>>>>>> I believe this is the source, but I'm no master in this. I mainly based
>>>>>> myself on the denials and errors I got. If I put in an "auditallow" to show
>>>>>> this, this is the result:
>> At a quick look, the code in most recent versions (the one merged in
>> systemd) apparently has been extended even further in that direction by
>> adding a shared label.c source file.
>>
>> As for such labelling issue, since it is usually always preferable that
>> each one sticks to its own job, perhaps it can be dontaudited and then
>> the relevant "dynamic" path added to restorecond.conf ?
>>
>> The strange thing is that I am running latest udev without any of these
>> modifications (thus including the relabel permission)...
> I am currently rewriting udev policy as part of my project to write a
> systemd policy
Is it based on Fedora systemd policy?
>   and i havent noticed this either yet, although it is
> hinting at it (it needs setfscreate capability and so does systemd by
> the way)
>
> I am not letting these daemons run my security though.
>
>> Regards,
>>
>> Guido
>>
>>
>>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

      parent reply	other threads:[~2012-09-04 10:18 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-29 19:28 [refpolicy] [PATCH v1 0/5] Small set of updates Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 1/5] Puppet uses mount output for verification Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 2/5] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
2012-08-29 19:41   ` Dominick Grift
2012-08-29 19:59     ` Sven Vermeulen
2012-08-29 20:10       ` Dominick Grift
2012-08-29 19:28 ` [refpolicy] [PATCH v1 3/5] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 4/5] Allow init scripts to read courier configuration Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 5/5] Udev's tables (run data) is stored in directories Sven Vermeulen
2012-08-29 19:37   ` Dominick Grift
2012-08-29 19:55     ` Sven Vermeulen
2012-08-29 20:04       ` Dominick Grift
2012-08-29 20:20         ` Dominick Grift
2012-08-29 20:31           ` Dominick Grift
2012-09-02 12:06             ` Guido Trentalancia
2012-09-02 19:51               ` Dominick Grift
2012-09-02 19:59                 ` Dominick Grift
2012-09-04 12:27                   ` Guido Trentalancia
2012-09-04 14:51                     ` Guido Trentalancia
2012-09-09 16:51                     ` Guido Trentalancia
2012-09-03  9:26                 ` Guido Trentalancia
2012-09-04 10:18                 ` Miroslav Grepl [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5045D592.7050701@redhat.com \
    --to=mgrepl@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.