Hi,
Please find here some patches to improve the support of debian.
Most of them are about adding file contexts. It also add support for rsyslog,
the fact that /var/run/lock is a tmpfs mountpoint and some other changes.
Cheers
Laurent Bigonville
From: Laurent Bigonville <[email protected]>
In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
the same way.
---
policy/modules/kernel/filesystem.fc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index cda5588..3d67e80 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -14,3 +14,8 @@
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
+
+ifdef(`distro_debian',`
+/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/var/run/shm/.* <<none>>
+')
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/kernel/files.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c2c6e05..ed67663 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/motd.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
In Debian, the initctl pipe has been moved from /dev/initctl to
/run/initctl
---
policy/modules/system/init.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 9a4d3a7..bc0ffc8 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -51,6 +51,7 @@ ifdef(`distro_gentoo', `
#
# /var
#
+/var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
udev_manage_pid_files is supposed to manage files that are located in
/var/run, allow to search files in this directory instead of /var/lib
---
policy/modules/system/udev.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 0f64692..9a1650d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -296,7 +296,7 @@ interface(`udev_manage_pid_files',`
type udev_var_run_t;
')
- files_search_var_lib($1)
+ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..097b2f0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -217,6 +217,7 @@ ifdef(`distro_gentoo',`
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
---
policy/modules/system/logging.te | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39ea221..b642262 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -353,13 +353,15 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
+# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+# setsched for rsyslog
+allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
kernel_read_system_state(syslogd_t)
+kernel_read_network_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
mount.
---
policy/modules/kernel/files.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..a5554e8 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
tunable_policy(`allow_execmod',`
allow files_unconfined_type file_type:file execmod;
')
+
+ifdef(`distro_debian',`
+ files_mountpoint(var_lock_t)
+')
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
In Debian, mount store some information (a utab file) under
/var/run/mount directory.
This is inspired by the fedora policy.
---
policy/modules/system/mount.fc | 2 ++
policy/modules/system/mount.te | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e..a38605e 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,3 +2,5 @@
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6a50270..8fcd782 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -26,6 +26,9 @@ files_type(mount_loopback_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+
# causes problems with interfaces when
# this is optionally declared in monolithic
# policy--duplicate type declaration
@@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/system/mount.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 8fcd782..7a58d79 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
+kernel_setsched(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/system/mount.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 7a58d79..d412797 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
miscfiles_read_localization(mount_t)
+modutils_read_module_deps(mount_t)
+
sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
This is needed by nm-dispatcher.action witch is labeled as
NetworkManager_initc_exec_t and is transitioned to initrc_t
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..eb18638 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -226,6 +226,7 @@ optional_policy(`
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability2 block_suspend;
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
On Debian, part of gnome-settings-daemon is installed in that
directory
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 097b2f0..7a5f35a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gnome-settings-daemon/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7a5f35a..4b7f9ee 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -132,6 +132,7 @@ ifdef(`distro_debian',`
# /lib
#
+/lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
Are all files in that location binaries to be executed?
On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <[email protected]>wrote:
> From: Laurent Bigonville <[email protected]>
>
> On Debian, part of gnome-settings-daemon is installed in that
> directory
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc
> b/policy/modules/kernel/corecommands.fc
> index 097b2f0..7a5f35a 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/dpkg/.+ --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/emacsen-common/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gimp/.*/plug-ins(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/gnome-settings-daemon/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gvfs/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ipsec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/kde4/libexec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130113/cd5710dc/attachment.html
Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs) mountpoint
and the lock subdirectory just that - a subdirectory?
I've seen 5 distributions using /var/run as either be a tmpfs, or a symlink
to /run which is a tmpfs.
On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <[email protected]>wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
> mount.
> ---
> policy/modules/kernel/files.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/kernel/files.te
> b/policy/modules/kernel/files.te
> index 148d87a..a5554e8 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
> tunable_policy(`allow_execmod',`
> allow files_unconfined_type file_type:file execmod;
> ')
> +
> +ifdef(`distro_debian',`
> + files_mountpoint(var_lock_t)
> +')
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130113/02f64557/attachment.html
On Sun, 2013-01-13 at 19:30 +0100, Sven Vermeulen wrote:
> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs) mountpoint
> and the lock subdirectory just that - a subdirectory?
>
> I've seen 5 distributions using /var/run as either be a tmpfs, or a symlink
> to /run which is a tmpfs.
>
>
They both are mountpoints in debian (/run and /run/lock)
At least that is what i saw from Laurents mount command output
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <[email protected]>wrote:
>
> > From: Laurent Bigonville <[email protected]>
> >
> > In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
> > mount.
> > ---
> > policy/modules/kernel/files.te | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/policy/modules/kernel/files.te
> > b/policy/modules/kernel/files.te
> > index 148d87a..a5554e8 100644
> > --- a/policy/modules/kernel/files.te
> > +++ b/policy/modules/kernel/files.te
> > @@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
> > tunable_policy(`allow_execmod',`
> > allow files_unconfined_type file_type:file execmod;
> > ')
> > +
> > +ifdef(`distro_debian',`
> > + files_mountpoint(var_lock_t)
> > +')
> > --
> > 1.7.10.4
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
> mountpoint and the lock subdirectory just that - a subdirectory?
>
>
> I've seen 5 distributions using /var/run as either be a tmpfs, or a
> symlink to /run which is a tmpfs.
>
>
>
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville
> <[email protected]> wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, /var/lock is a symlink to /var/run/lock which is a
> tmpfs
> mount.
> ---
> policy/modules/kernel/files.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/kernel/files.te
> b/policy/modules/kernel/files.te
> index 148d87a..a5554e8 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -232,3 +232,7 @@ allow files_unconfined_type
> file_type:filesystem *;
> tunable_policy(`allow_execmod',`
> allow files_unconfined_type file_type:file execmod;
> ')
> +
> +ifdef(`distro_debian',`
> + files_mountpoint(var_lock_t)
> +')
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Sun, 2013-01-13 at 19:28 +0100, Sven Vermeulen wrote:
> Are all files in that location binaries to be executed?
Also it needs a --
>
>
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <[email protected]>wrote:
>
> > From: Laurent Bigonville <[email protected]>
> >
> > On Debian, part of gnome-settings-daemon is installed in that
> > directory
> > ---
> > policy/modules/kernel/corecommands.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/kernel/corecommands.fc
> > b/policy/modules/kernel/corecommands.fc
> > index 097b2f0..7a5f35a 100644
> > --- a/policy/modules/kernel/corecommands.fc
> > +++ b/policy/modules/kernel/corecommands.fc
> > @@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
> > /usr/lib/dpkg/.+ --
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/emacsen-common/.*
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/gimp/.*/plug-ins(/.*)?
> > gen_context(system_u:object_r:bin_t,s0)
> > +/usr/lib/gnome-settings-daemon/.*
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/gvfs/.* --
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/ipsec/.* --
> > gen_context(system_u:object_r:bin_t,s0)
> > /usr/lib/kde4/libexec/.* --
> > gen_context(system_u:object_r:bin_t,s0)
> > --
> > 1.7.10.4
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> Are all files in that location binaries to be executed?
>
>
>
> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville
> <[email protected]> wrote:
> From: Laurent Bigonville <[email protected]>
>
> On Debian, part of gnome-settings-daemon is installed in that
> directory
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc
> b/policy/modules/kernel/corecommands.fc
> index 097b2f0..7a5f35a 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/dpkg/.+ --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/emacsen-common/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gimp/.*/plug-ins(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/gnome-settings-daemon/.*
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/gvfs/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ipsec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/kde4/libexec/.* --
> gen_context(system_u:object_r:bin_t,s0)
> --
> 1.7.10.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Sat, 2013-01-12 at 22:32 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
Best to escape the period
> ---
> policy/modules/kernel/files.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index c2c6e05..ed67663 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
>
> ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/motd.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> ')
Le Sun, 13 Jan 2013 21:03:05 +0100,
Dominick Grift <[email protected]> a ?crit :
> On Sun, 2013-01-13 at 19:30 +0100, Sven Vermeulen wrote:
> > Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
> > mountpoint and the lock subdirectory just that - a subdirectory?
> >
> > I've seen 5 distributions using /var/run as either be a tmpfs, or a
> > symlink to /run which is a tmpfs.
> >
> >
>
> They both are mountpoints in debian (/run and /run/lock)
>
> At least that is what i saw from Laurents mount command output
Indeed on all the wheezy/sid machines I've running ATM (well that
mades 3, but they have been installed at different time), I have
(output of mount|grep tmpfs):
udev on /dev type devtmpfs (rw,relatime,seclabel,size=10240k,nr_inodes=1016576,mode=755)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,seclabel,size=814752k,mode=755)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:var_lock_t:s0,seclabel,size=5120k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,rootcontext=system_u:object_r:tmpfs_t:s0,seclabel,size=1629480k)
and (ls -lad /var/*)
lrwxrwxrwx. 1 root root 4 oct 19 20:33 /var/run -> /run
lrwxrwxrwx. 1 root root 9 oct 19 20:33 /var/lock -> /run/lock
Cheers
Laurent Bigonville
Le Sun, 13 Jan 2013 19:28:18 +0100,
Sven Vermeulen <[email protected]> a ?crit :
> Are all files in that location binaries to be executed?
Yes
apt-file search /usr/lib/gnome-settings-daemon/ command shows me that
there are 23 files installed in that directory all by g-s-d and all
being executables.
Cheers
Laurent Bigonville
From: Laurent Bigonville <[email protected]>
On Debian, part of gnome-settings-daemon is installed in that
directory
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..332c3c4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -208,6 +208,7 @@ ifdef(`distro_gentoo',`
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0)
--
1.7.10.4
From: Laurent Bigonville <[email protected]>
---
policy/modules/kernel/files.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c2c6e05..b876c48 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
--
1.7.10.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2013 03:03 PM, Dominick Grift wrote:
> On Sun, 2013-01-13 at 19:30 +0100, Sven Vermeulen wrote:
>> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
>> mountpoint and the lock subdirectory just that - a subdirectory?
>>
>> I've seen 5 distributions using /var/run as either be a tmpfs, or a
>> symlink to /run which is a tmpfs.
>>
>>
>
> They both are mountpoints in debian (/run and /run/lock)
>
> At least that is what i saw from Laurents mount command output
>
>> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville
>> <[email protected]>wrote:
>>
>>> From: Laurent Bigonville <[email protected]>
>>>
>>> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
>>> mount. --- policy/modules/kernel/files.te | 4 ++++ 1 file changed, 4
>>> insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/files.te
>>> b/policy/modules/kernel/files.te index 148d87a..a5554e8 100644 ---
>>> a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te
>>> @@ -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem
>>> *; tunable_policy(`allow_execmod',` allow files_unconfined_type
>>> file_type:file execmod; ') + +ifdef(`distro_debian',` +
>>> files_mountpoint(var_lock_t) +') -- 1.7.10.4
>>>
>>> _______________________________________________ refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>> Is /var/run/lock a (tmpfs) mountpoint, or is /var/run a (tmpfs)
>> mountpoint and the lock subdirectory just that - a subdirectory?
>>
>>
>> I've seen 5 distributions using /var/run as either be a tmpfs, or a
>> symlink to /run which is a tmpfs.
>>
>>
>>
>> On Sat, Jan 12, 2013 at 10:32 PM, Laurent Bigonville <[email protected]>
>> wrote: From: Laurent Bigonville <[email protected]>
>>
>> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
>> mount. --- policy/modules/kernel/files.te | 4 ++++ 1 file changed, 4
>> insertions(+)
>>
>> diff --git a/policy/modules/kernel/files.te
>> b/policy/modules/kernel/files.te index 148d87a..a5554e8 100644 ---
>> a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@
>> -232,3 +232,7 @@ allow files_unconfined_type file_type:filesystem *;
>> tunable_policy(`allow_execmod',` allow files_unconfined_type
>> file_type:file execmod; ') + +ifdef(`distro_debian',` +
>> files_mountpoint(var_lock_t) +') -- 1.7.10.4
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
I see no reason to wrap this in a ifdef block.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD0N4UACgkQrlYvE4MpobOI8gCdG3IZQaI/q14VS9e/G8BkxjG7
RrYAoIIcGndvqlI7mmgDxA7snYhm7yXc
=4p6K
-----END PGP SIGNATURE-----
From: Laurent Bigonville <[email protected]>
In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
mount.
---
policy/modules/kernel/files.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..4a59c76 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -173,6 +173,7 @@ files_mountpoint(var_lib_t)
#
type var_lock_t;
files_lock_file(var_lock_t)
+files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
--
1.7.10.4
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/system/mount.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 8fcd782..7a58d79 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
> +kernel_setsched(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
Any idea why this is required?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/system/mount.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 7a58d79..d412797 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
>
> miscfiles_read_localization(mount_t)
>
> +modutils_read_module_deps(mount_t)
> +
> sysnet_use_portmap(mount_t)
>
> seutil_read_config(mount_t)
Any idea why this is required?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, mount store some information (a utab file) under
> /var/run/mount directory.
>
> This is inspired by the fedora policy.
Merged.
> ---
> policy/modules/system/mount.fc | 2 ++
> policy/modules/system/mount.te | 8 ++++++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index 72c746e..a38605e 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -2,3 +2,5 @@
> /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
>
> /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
> +
> +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 6a50270..8fcd782 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -26,6 +26,9 @@ files_type(mount_loopback_t)
> type mount_tmp_t;
> files_tmp_file(mount_tmp_t)
>
> +type mount_var_run_t;
> +files_pid_file(mount_var_run_t)
> +
> # causes problems with interfaces when
> # this is optionally declared in monolithic
> # policy--duplicate type declaration
> @@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)
>
> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>
> +create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
> +
> kernel_read_system_state(mount_t)
> kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/15/13 05:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, /var/lock is a symlink to /var/run/lock which is a tmpfs
> mount.
> ---
> policy/modules/kernel/files.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 148d87a..4a59c76 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -173,6 +173,7 @@ files_mountpoint(var_lib_t)
> #
> type var_lock_t;
> files_lock_file(var_lock_t)
> +files_mountpoint(var_lock_t)
>
> #
> # var_run_t is the type of /var/run, usually
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Allow sys_nice capability, setsched, allow to search in /var/spool and
> syslog_t domain to read network state files in /proc
>
> squash! Add support for rsyslog
Merged.
> ---
> policy/modules/system/logging.te | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 39ea221..b642262 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -353,13 +353,15 @@ optional_policy(`
>
> # chown fsetid for syslog-ng
> # sys_admin for the integrated klog of syslog-ng and metalog
> +# sys_nice for rsyslog
> # cjp: why net_admin!
> -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
> +allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
> dontaudit syslogd_t self:capability sys_tty_config;
> # setpgid for metalog
> # setrlimit for syslog-ng
> # getsched for syslog-ng
> -allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
> +# setsched for rsyslog
> +allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
> # receive messages to be logged
> allow syslogd_t self:unix_dgram_socket create_socket_perms;
> allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
> @@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
> # create/append log files.
> manage_files_pattern(syslogd_t, var_log_t, var_log_t)
> rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
> +files_search_spool(syslogd_t)
>
> # Allow access for syslog-ng
> allow syslogd_t var_log_t:dir { create setattr };
> @@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
>
> kernel_read_system_state(syslogd_t)
> +kernel_read_network_state(syslogd_t)
> kernel_read_kernel_sysctls(syslogd_t)
> kernel_read_proc_symlinks(syslogd_t)
> # Allow access to /proc/kmsg for syslog-ng
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/kernel/corecommands.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
> index 644d4d7..097b2f0 100644
> --- a/policy/modules/kernel/corecommands.fc
> +++ b/policy/modules/kernel/corecommands.fc
> @@ -217,6 +217,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> udev_manage_pid_files is supposed to manage files that are located in
> /var/run, allow to search files in this directory instead of /var/lib
> ---
> policy/modules/system/udev.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 0f64692..9a1650d 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -296,7 +296,7 @@ interface(`udev_manage_pid_files',`
> type udev_var_run_t;
> ')
>
> - files_search_var_lib($1)
> + files_search_pids($1)
> manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
> the same way.
> ---
> policy/modules/kernel/filesystem.fc | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index cda5588..3d67e80 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -14,3 +14,8 @@
> # for systemd systems:
> /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> /sys/fs/cgroup/.* <<none>>
> +
> +ifdef(`distro_debian',`
> +/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> +/var/run/shm/.* <<none>>
> +')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/14/13 08:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> policy/modules/kernel/files.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index c2c6e05..b876c48 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -269,4 +269,5 @@ ifndef(`distro_redhat',`
>
> ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le Wed, 23 Jan 2013 07:17:40 -0500,
"Christopher J. PeBenito" <[email protected]> a ?crit :
> On 01/12/13 16:32, Laurent Bigonville wrote:
> > From: Laurent Bigonville <[email protected]>
> >
> > ---
> > policy/modules/system/mount.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/mount.te
> > b/policy/modules/system/mount.te index 8fcd782..7a58d79 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -64,6 +64,7 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
> > kernel_dontaudit_write_proc_dirs(mount_t)
> > # To load binfmt_misc kernel module
> > kernel_request_load_module(mount_t)
> > +kernel_setsched(mount_t)
> >
> > # required for mount.smbfs
> > corecmd_exec_bin(mount_t)
>
> Any idea why this is required?
>
During (early) boot I get this AVC:
[ 8.452944] type=1400 audit(1358970896.236:59): avc: denied { setsched } for pid=1327 comm="mount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process
I'm not too sure why this is require, I see nothing in the code, it's
maybe coming from a dep?
Cheers
Laurent Bigonville
Le Wed, 23 Jan 2013 07:17:43 -0500,
"Christopher J. PeBenito" <[email protected]> a ?crit :
> On 01/12/13 16:32, Laurent Bigonville wrote:
> > From: Laurent Bigonville <[email protected]>
> >
> > ---
> > policy/modules/system/mount.te | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/policy/modules/system/mount.te
> > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
> >
> > miscfiles_read_localization(mount_t)
> >
> > +modutils_read_module_deps(mount_t)
> > +
> > sysnet_use_portmap(mount_t)
> >
> > seutil_read_config(mount_t)
>
> Any idea why this is required?
>
Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my
laptop.
BTW this is already in the fedora policy (in an optional_policy block)
with the following commit message:
"Allow mount to read modutils_dep_t, probably a leak but not worth
blocking"
Cheers
Laurent Bigonville
Le Wed, 23 Jan 2013 21:42:07 +0100,
Laurent Bigonville <[email protected]> a ?crit :
> Le Wed, 23 Jan 2013 07:17:43 -0500,
> "Christopher J. PeBenito" <[email protected]> a ?crit :
>
> > On 01/12/13 16:32, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <[email protected]>
> > >
> > > ---
> > > policy/modules/system/mount.te | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/policy/modules/system/mount.te
> > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
> > > --- a/policy/modules/system/mount.te
> > > +++ b/policy/modules/system/mount.te
> > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
> > >
> > > miscfiles_read_localization(mount_t)
> > >
> > > +modutils_read_module_deps(mount_t)
> > > +
> > > sysnet_use_portmap(mount_t)
> > >
> > > seutil_read_config(mount_t)
> >
> > Any idea why this is required?
> >
>
> Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my
> laptop.
OK so I tried again, and I see these during early boot:
[ 32.330243] type=1400 audit(1359049424.759:27): avc: denied
{ read } for pid=2090 comm="mount" name="modules.dep" dev="dm-1"
ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330265]
type=1400 audit(1359049424.759:27): avc: denied { open } for
pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330306]
type=1400 audit(1359049424.759:28): avc: denied { getattr } for
pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
Cheers
Laurent Bigonville
This looks like an inherited file handle. What process is executing mount? Maybe auditallow rules on executing mount and opening the dep file will reveal what is going wrong.
Laurent Bigonville <[email protected]> wrote:
>Le Wed, 23 Jan 2013 21:42:07 +0100,
>Laurent Bigonville <[email protected]> a ?crit :
>
>> Le Wed, 23 Jan 2013 07:17:43 -0500,
>> "Christopher J. PeBenito" <[email protected]> a ?crit :
>>
>> > On 01/12/13 16:32, Laurent Bigonville wrote:
>> > > From: Laurent Bigonville <[email protected]>
>> > >
>> > > ---
>> > > policy/modules/system/mount.te | 2 ++
>> > > 1 file changed, 2 insertions(+)
>> > >
>> > > diff --git a/policy/modules/system/mount.te
>> > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
>> > > --- a/policy/modules/system/mount.te
>> > > +++ b/policy/modules/system/mount.te
>> > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
>> > >
>> > > miscfiles_read_localization(mount_t)
>> > >
>> > > +modutils_read_module_deps(mount_t)
>> > > +
>> > > sysnet_use_portmap(mount_t)
>> > >
>> > > seutil_read_config(mount_t)
>> >
>> > Any idea why this is required?
>> >
>>
>> Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on
>my
>> laptop.
>
>OK so I tried again, and I see these during early boot:
>
>[ 32.330243] type=1400 audit(1359049424.759:27): avc: denied
>{ read } for pid=2090 comm="mount" name="modules.dep" dev="dm-1"
>ino=4232 scontext=system_u:system_r:mount_t:s0
>tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330265]
>type=1400 audit(1359049424.759:27): avc: denied { open } for
>pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
>dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
>tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330306]
>type=1400 audit(1359049424.759:28): avc: denied { getattr } for
>pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
>dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
>tcontext=system_u:object_r:modules_dep_t:s0 tclass=file
>
>
>Cheers
>
>Laurent Bigonville
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
--
My blog http://etbe.coker.com.au
Sent from a Galaxy S3
Android phone with K-9 Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130130/959f2d83/attachment.html