systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:
avc: denied { associate } for pid=1 comm="systemd" name="pts"
scontext=system_u:object_r:devpts_t
tcontext=system_u:object_r:device_t
tclass=filesystem permissive=1
---
policy/modules/kernel/terminal.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index f71fda4b5e52..ff9ee502888b 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -25,6 +25,7 @@ dev_node(console_device_t)
# the type of the root directory of the file system.
#
type devpts_t;
+dev_associate(devpts_t)
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
fs_xattr_type(devpts_t)
--
2.14.1
This is currently denied:
avc: denied { create } for pid=1 comm="systemd" name="pts"
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:devpts_t tclass=dir permissive=1
---
policy/modules/kernel/terminal.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 16a96ec77e95..8be5a1d6de8d 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -149,6 +149,24 @@ interface(`term_mount_devpts',`
allow $1 devpts_t:filesystem mount;
')
+########################################
+## <summary>
+## Create directory /dev/pts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process creating the directory.
+## </summary>
+## </param>
+#
+interface(`term_create_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir create_dir_perms;
+')
+
########################################
## <summary>
## Create a pty in the /dev/pts directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 65d4a92b2dbb..1329898d6d82 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -323,6 +323,8 @@ ifdef(`init_systemd',`
systemd_manage_passwd_runtime_symlinks(init_t)
systemd_use_passwd_agent(init_t)
+ term_create_devpts(init_t)
+
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
--
2.14.1
On Sat, Aug 12, 2017 at 10:34:59AM +0200, Nicolas Iooss via refpolicy wrote:
> systemd tries to create /dev/pts directly with its context type
> "devpts_t", but this is not allowed:
>
> avc: denied { associate } for pid=1 comm="systemd" name="pts"
> scontext=system_u:object_r:devpts_t
> tcontext=system_u:object_r:device_t
> tclass=filesystem permissive=1
There is probably a context spec that say's that the /dev/pts dir should be of type devpts_t.
if you replace that spec with something like
/dev/pts -d <<None>>
then systemd creates the dir with type device_t, then devpts fs gets mounted on it and it will show up as devpts_t
I little bit cleaner in my opinion but i suppose a matter of taste
> ---
> policy/modules/kernel/terminal.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> index f71fda4b5e52..ff9ee502888b 100644
> --- a/policy/modules/kernel/terminal.te
> +++ b/policy/modules/kernel/terminal.te
> @@ -25,6 +25,7 @@ dev_node(console_device_t)
> # the type of the root directory of the file system.
> #
> type devpts_t;
> +dev_associate(devpts_t)
> files_mountpoint(devpts_t)
> fs_associate_tmpfs(devpts_t)
> fs_xattr_type(devpts_t)
> --
> 2.14.1
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170812/9b034a61/attachment.bin
On Sat, Aug 12, 2017 at 11:00:37AM +0200, Dominick Grift wrote:
> On Sat, Aug 12, 2017 at 10:34:59AM +0200, Nicolas Iooss via refpolicy wrote:
> > systemd tries to create /dev/pts directly with its context type
> > "devpts_t", but this is not allowed:
> >
> > avc: denied { associate } for pid=1 comm="systemd" name="pts"
> > scontext=system_u:object_r:devpts_t
> > tcontext=system_u:object_r:device_t
> > tclass=filesystem permissive=1
>
> There is probably a context spec that say's that the /dev/pts dir should be of type devpts_t.
>
> if you replace that spec with something like
>
> /dev/pts -d <<None>>
>
> then systemd creates the dir with type device_t, then devpts fs gets mounted on it and it will show up as devpts_t
>
> I little bit cleaner in my opinion but i suppose a matter of taste
Never mind, that would not work for MLS:
/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
>
> > ---
> > policy/modules/kernel/terminal.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> > index f71fda4b5e52..ff9ee502888b 100644
> > --- a/policy/modules/kernel/terminal.te
> > +++ b/policy/modules/kernel/terminal.te
> > @@ -25,6 +25,7 @@ dev_node(console_device_t)
> > # the type of the root directory of the file system.
> > #
> > type devpts_t;
> > +dev_associate(devpts_t)
> > files_mountpoint(devpts_t)
> > fs_associate_tmpfs(devpts_t)
> > fs_xattr_type(devpts_t)
> > --
> > 2.14.1
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170812/87b99ca2/attachment.bin
On Sat, Aug 12, 2017 at 11:03 AM, Dominick Grift via refpolicy
<[email protected]> wrote:
> On Sat, Aug 12, 2017 at 11:00:37AM +0200, Dominick Grift wrote:
>> On Sat, Aug 12, 2017 at 10:34:59AM +0200, Nicolas Iooss via refpolicy wrote:
>> > systemd tries to create /dev/pts directly with its context type
>> > "devpts_t", but this is not allowed:
>> >
>> > avc: denied { associate } for pid=1 comm="systemd" name="pts"
>> > scontext=system_u:object_r:devpts_t
>> > tcontext=system_u:object_r:device_t
>> > tclass=filesystem permissive=1
>>
>> There is probably a context spec that say's that the /dev/pts dir should be of type devpts_t.
>>
>> if you replace that spec with something like
>>
>> /dev/pts -d <<None>>
>>
>> then systemd creates the dir with type device_t, then devpts fs gets mounted on it and it will show up as devpts_t
>>
>> I little bit cleaner in my opinion but i suppose a matter of taste
>
> Never mind, that would not work for MLS:
>
> /dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
Thanks for your quick review! This line is indeed what is currently in
refpolicy (https://github.com/TresysTechnology/refpolicy/blob/0ba1970b7cd4a809b155c457913bcd3dad2dc039/policy/modules/kernel/terminal.fc#L26).
I guess it is needed in order for /dev/pts to have the right context
after devpts filesystem is mounted.
Nicolas
>> > ---
>> > policy/modules/kernel/terminal.te | 1 +
>> > 1 file changed, 1 insertion(+)
>> >
>> > diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
>> > index f71fda4b5e52..ff9ee502888b 100644
>> > --- a/policy/modules/kernel/terminal.te
>> > +++ b/policy/modules/kernel/terminal.te
>> > @@ -25,6 +25,7 @@ dev_node(console_device_t)
>> > # the type of the root directory of the file system.
>> > #
>> > type devpts_t;
>> > +dev_associate(devpts_t)
>> > files_mountpoint(devpts_t)
>> > fs_associate_tmpfs(devpts_t)
>> > fs_xattr_type(devpts_t)
>> > --
>> > 2.14.1
>> >
>> > _______________________________________________
>> > refpolicy mailing list
>> > refpolicy at oss.tresys.com
>> > http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
On Sat, Aug 12, 2017 at 11:09 AM, Nicolas Iooss <[email protected]> wrote:
> On Sat, Aug 12, 2017 at 11:03 AM, Dominick Grift via refpolicy
> <[email protected]> wrote:
>> On Sat, Aug 12, 2017 at 11:00:37AM +0200, Dominick Grift wrote:
>>> On Sat, Aug 12, 2017 at 10:34:59AM +0200, Nicolas Iooss via refpolicy wrote:
>>> > systemd tries to create /dev/pts directly with its context type
>>> > "devpts_t", but this is not allowed:
>>> >
>>> > avc: denied { associate } for pid=1 comm="systemd" name="pts"
>>> > scontext=system_u:object_r:devpts_t
>>> > tcontext=system_u:object_r:device_t
>>> > tclass=filesystem permissive=1
>>>
>>> There is probably a context spec that say's that the /dev/pts dir should be of type devpts_t.
>>>
>>> if you replace that spec with something like
>>>
>>> /dev/pts -d <<None>>
>>>
>>> then systemd creates the dir with type device_t, then devpts fs gets mounted on it and it will show up as devpts_t
>>>
>>> I little bit cleaner in my opinion but i suppose a matter of taste
>>
>> Never mind, that would not work for MLS:
>>
>> /dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
>
> Thanks for your quick review! This line is indeed what is currently in
> refpolicy (https://github.com/TresysTechnology/refpolicy/blob/0ba1970b7cd4a809b155c457913bcd3dad2dc039/policy/modules/kernel/terminal.fc#L26).
> I guess it is needed in order for /dev/pts to have the right context
> after devpts filesystem is mounted.
>
> Nicolas
Hello,
If I correctly understood the discussion about this patch, there are
no issues preventing it from being merged. Could it be merged (and the
one I sent with it, "init: allow systemd to create /dev/pts as
devpts_t") too?
Thanks,
Nicolas
>>> > ---
>>> > policy/modules/kernel/terminal.te | 1 +
>>> > 1 file changed, 1 insertion(+)
>>> >
>>> > diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
>>> > index f71fda4b5e52..ff9ee502888b 100644
>>> > --- a/policy/modules/kernel/terminal.te
>>> > +++ b/policy/modules/kernel/terminal.te
>>> > @@ -25,6 +25,7 @@ dev_node(console_device_t)
>>> > # the type of the root directory of the file system.
>>> > #
>>> > type devpts_t;
>>> > +dev_associate(devpts_t)
>>> > files_mountpoint(devpts_t)
>>> > fs_associate_tmpfs(devpts_t)
>>> > fs_xattr_type(devpts_t)
>>> > --
>>> > 2.14.1
>>> >
>>> > _______________________________________________
>>> > refpolicy mailing list
>>> > refpolicy at oss.tresys.com
>>> > http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
On 08/12/2017 04:34 AM, Nicolas Iooss via refpolicy wrote:
> systemd tries to create /dev/pts directly with its context type
> "devpts_t", but this is not allowed:
>
> avc: denied { associate } for pid=1 comm="systemd" name="pts"
> scontext=system_u:object_r:devpts_t
> tcontext=system_u:object_r:device_t
> tclass=filesystem permissive=1
> ---
> policy/modules/kernel/terminal.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> index f71fda4b5e52..ff9ee502888b 100644
> --- a/policy/modules/kernel/terminal.te
> +++ b/policy/modules/kernel/terminal.te
> @@ -25,6 +25,7 @@ dev_node(console_device_t)
> # the type of the root directory of the file system.
> #
> type devpts_t;
> +dev_associate(devpts_t)
> files_mountpoint(devpts_t)
> fs_associate_tmpfs(devpts_t)
> fs_xattr_type(devpts_t)
Merged.
--
Chris PeBenito