Re: lots of allow xxx_device_t device_t:filesystem { associate }

Re: lots of allow xxx_device_t device_t:filesystem { associate }

[Luke Kenneth Casson Leighton]

On Mon, Aug 09, 2004 at 02:43:36PM -0400, Stephen Smalley wrote:
> On Mon, 2004-08-09 at 13:52, Luke Kenneth Casson Leighton wrote:
> > i'm getting an awful lot of the above due to udev creating
> > inodes in /dev which i decided to associate with device_t.
> 
> allow device_type device_t:filesystem associate;
> should cover most cases.
 
 thank you: i found this: i was more concerned that i should
 be setting mount -o fscontext=....fs_t instead?


> > now i have had to add about 15 or 20 lines so far each for pretty
> > much every xxx_device_t under the sun, and am concerned that i
> > am taking the wrong approach.
> 
> Other than the associate permission, what else do you need to add?
 
 eek.

 allow initrc_t device_t:lnk_file { create };
 for a symlink to be created between /proc/self/fd and /dev/fd

 i realise it would be better to move stuff in /etc/init.d/udev
 to a separate program, e.g. /sbin/udev-init, and to have that
 program be given a separate domain instead of having to add
 this to initrc_t.


 allow udev_t device_t:file { getattr unlink };
 for /sbin/udev to stat and remove /dev/null...

 exactly what is going on here i don't know.


 allow udev_t self:process { setfscreate };
 surprise surprise, it's doing the same thing as restorecon,
 so, duh, udev needs this.

 more later.

 l.


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: lots of allow xxx_device_t device_t:filesystem { associate }

[Stephen Smalley]

On Mon, 2004-08-09 at 15:09, Luke Kenneth Casson Leighton wrote:
>  thank you: i found this: i was more concerned that i should
>  be setting mount -o fscontext=....fs_t instead?

No, I think device_t is appropriate here.

>  allow initrc_t device_t:lnk_file { create };
>  for a symlink to be created between /proc/self/fd and /dev/fd
> 
>  i realise it would be better to move stuff in /etc/init.d/udev
>  to a separate program, e.g. /sbin/udev-init, and to have that
>  program be given a separate domain instead of having to add
>  this to initrc_t.

I already see an 'allow initrc_t device_t:lnk_file { unlink };' rule in
initrc.te related to udev operation, so this isn't too surprising.

>  allow udev_t device_t:file { getattr unlink };
>  for /sbin/udev to stat and remove /dev/null...

/dev/null should show up as chr_file, and should be created with
null_device_t anyway.  Is this actually an attempt to unlink udev.tbl?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: lots of allow xxx_device_t device_t:filesystem { associate }

[Luke Kenneth Casson Leighton]

On Mon, Aug 09, 2004 at 03:02:57PM -0400, Stephen Smalley wrote:
> On Mon, 2004-08-09 at 15:09, Luke Kenneth Casson Leighton wrote:
> >  thank you: i found this: i was more concerned that i should
> >  be setting mount -o fscontext=....fs_t instead?
> 
> No, I think device_t is appropriate here.
> 
> >  allow initrc_t device_t:lnk_file { create };
> >  for a symlink to be created between /proc/self/fd and /dev/fd
> > 
> >  i realise it would be better to move stuff in /etc/init.d/udev
> >  to a separate program, e.g. /sbin/udev-init, and to have that
> >  program be given a separate domain instead of having to add
> >  this to initrc_t.
> 
> I already see an 'allow initrc_t device_t:lnk_file { unlink };' rule in
> initrc.te related to udev operation, so this isn't too surprising.
> 
> >  allow udev_t device_t:file { getattr unlink };
> >  for /sbin/udev to stat and remove /dev/null...
> 
> /dev/null should show up as chr_file, and should be created with
> null_device_t anyway.  Is this actually an attempt to unlink udev.tbl?

no, it's definitely an attempt to unlink /dev/null (!).

and it's definitely saying device_t:file.

_after_ init level 1 has completed, ls -Z /dev/null shows
null_device_t on /dev/null.

fuuunnn...

l.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: lots of allow xxx_device_t device_t:filesystem { associate }

[Russell Coker]

On Tue, 10 Aug 2004 05:43, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > /dev/null should show up as chr_file, and should be created with
> > null_device_t anyway.  Is this actually an attempt to unlink udev.tbl?
>
> no, it's definitely an attempt to unlink /dev/null (!).
>
> and it's definitely saying device_t:file.

In that case you probably have a non-SE Linux bug.  I guess that some program 
is trying to send output to /dev/null when there is no /dev/null device.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: lots of allow xxx_device_t device_t:filesystem { associate }

[Luke Kenneth Casson Leighton]

On Tue, Aug 10, 2004 at 04:45:28PM +1000, Russell Coker wrote:
> On Tue, 10 Aug 2004 05:43, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > /dev/null should show up as chr_file, and should be created with
> > > null_device_t anyway.  Is this actually an attempt to unlink udev.tbl?
> >
> > no, it's definitely an attempt to unlink /dev/null (!).
> >
> > and it's definitely saying device_t:file.
> 
> In that case you probably have a non-SE Linux bug.  I guess that some program 
> is trying to send output to /dev/null when there is no /dev/null device.
 
 that'd make sense because the comments in /etc/init.d/udev say
 "you can't do things like background scripts".

 so, this one for _not_ including in the policy files.

 l.



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel