This patch adds a new interface init_read_fifo_file() and
uses it so that readahead can read init_t fifo files.
diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
--- refpolicy-git-02022011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te 2011-01-26 01:40:07.208360132 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
+init_read_fifo_file(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
--- refpolicy-git-02022011/policy/modules/system/init.if 2011-02-06 23:07:41.774207748 +0100
+++ refpolicy-git-02022011-new/policy/modules/system/init.if 2011-01-26 01:40:07.026309900 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
########################################
## <summary>
+## Read init fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Ptrace init
## </summary>
## <param name="domain">
On 02/16/11 01:00, Guido Trentalancia wrote:
> This patch adds a new interface init_read_fifo_file() and
> uses it so that readahead can read init_t fifo files.
This doesn't make sense to me. Its not run out of init; it shouldn't be
inheriting unnamed pipes from init. It also makes me question the
existing init_use_fds(readahead_t) rule in the policy.
> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
> --- refpolicy-git-02022011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te 2011-01-26 01:40:07.208360132 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>
> auth_dontaudit_read_shadow(readahead_t)
>
> +init_read_fifo_file(readahead_t)
> init_use_fds(readahead_t)
> init_use_script_ptys(readahead_t)
> init_getattr_initctl(readahead_t)
> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
> --- refpolicy-git-02022011/policy/modules/system/init.if 2011-02-06 23:07:41.774207748 +0100
> +++ refpolicy-git-02022011-new/policy/modules/system/init.if 2011-01-26 01:40:07.026309900 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>
> ########################################
> ## <summary>
> +## Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:fifo_file read_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Ptrace init
> ## </summary>
> ## <param name="domain">
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:00, Guido Trentalancia wrote:
>> This patch adds a new interface init_read_fifo_file() and
>> uses it so that readahead can read init_t fifo files.
>
> This doesn't make sense to me. Its not run out of init; it shouldn't be
> inheriting unnamed pipes from init. It also makes me question the
> existing init_use_fds(readahead_t) rule in the policy.
>
It is run by systemd now in F15
ls /lib/systemd/systemd-readahead-*
/lib/systemd/systemd-readahead-collect
/lib/systemd/systemd-readahead-replay
>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/admin/readahead.te refpolicy-git-02022011-new/policy/modules/admin/readahead.te
>> --- refpolicy-git-02022011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>> +++ refpolicy-git-02022011-new/policy/modules/admin/readahead.te 2011-01-26 01:40:07.208360132 +0100
>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>
>> auth_dontaudit_read_shadow(readahead_t)
>>
>> +init_read_fifo_file(readahead_t)
>> init_use_fds(readahead_t)
>> init_use_script_ptys(readahead_t)
>> init_getattr_initctl(readahead_t)
>> diff -pruN -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-02022011/policy/modules/system/init.if refpolicy-git-02022011-new/policy/modules/system/init.if
>> --- refpolicy-git-02022011/policy/modules/system/init.if 2011-02-06 23:07:41.774207748 +0100
>> +++ refpolicy-git-02022011-new/policy/modules/system/init.if 2011-01-26 01:40:07.026309900 +0100
>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>
>> ########################################
>> ## <summary>
>> +## Read init fifo file.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`init_read_fifo_file',`
>> + gen_require(`
>> + type init_t;
>> + ')
>> +
>> + allow $1 init_t:fifo_file read_fifo_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Ptrace init
>> ## </summary>
>> ## <param name="domain">
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1j3pwACgkQrlYvE4MpobN3mACeJ/jPVTbHtHEjMNXeyXrQVnMx
AZkAoIZxaKGGQuw5g+z7tIJkU2a8JfQw
=OmRJ
-----END PGP SIGNATURE-----
On Tue, 22/02/2011 at 11.04 -0500, Daniel J Walsh wrote:
> On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
> > On 02/16/11 01:00, Guido Trentalancia wrote:
> >> This patch adds a new interface init_read_fifo_file() and
> >> uses it so that readahead can read init_t fifo files.
> >
> > This doesn't make sense to me. Its not run out of init; it shouldn't be
> > inheriting unnamed pipes from init. It also makes me question the
> > existing init_use_fds(readahead_t) rule in the policy.
> >
> It is run by systemd now in F15
> ls /lib/systemd/systemd-readahead-*
> /lib/systemd/systemd-readahead-collect
> /lib/systemd/systemd-readahead-replay
For your information, I am not using systemd. And I am not using
readahead either. I did just install readahead (latest version) and test
it very quickly and there was something being denied:
type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
That's all I can add now.
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/22/2011 12:35 PM, Guido Trentalancia wrote:
> On Tue, 22/02/2011 at 11.04 -0500, Daniel J Walsh wrote:
>> On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
>>> On 02/16/11 01:00, Guido Trentalancia wrote:
>>>> This patch adds a new interface init_read_fifo_file() and
>>>> uses it so that readahead can read init_t fifo files.
>>>
>>> This doesn't make sense to me. Its not run out of init; it shouldn't be
>>> inheriting unnamed pipes from init. It also makes me question the
>>> existing init_use_fds(readahead_t) rule in the policy.
>>>
>> It is run by systemd now in F15
>> ls /lib/systemd/systemd-readahead-*
>> /lib/systemd/systemd-readahead-collect
>> /lib/systemd/systemd-readahead-replay
>
> For your information, I am not using systemd. And I am not using
> readahead either. I did just install readahead (latest version) and test
> it very quickly and there was something being denied:
>
> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>
> That's all I can add now.
>
> Regards,
>
> Guido
>
Right this shows something we do not do a good job of handling in policy
now. We do not handle the transitioning of open file descriptors down
two levels. Let me explain.
We have domain "A_t" which opens up fifo_files to stdin, stdout, stderr,
and transitions to "B_t". In the domtrans rules we allow B_t to use
A_t:fifo_file read/write. But if B_t transitions to C_t, we do not pass
the fifo_file down, we do not have a mechanism for saying allow C_t to
read/write all file descriptors that have been passed to B_t. So what
you are probably seeing is init_t:fifo_file handed to initrc_t which
then hands them to readahead_t, and you end up with an AVC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1kFPwACgkQrlYvE4MpobO4CwCgviuEU6qyLjmEQvSTFmoJxx8+
5ssAniCS5FyhBfvaFT9/OmbYuSnS+iUQ
=m0/2
-----END PGP SIGNATURE-----