diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
--- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
+init_read_fifo_file(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
--- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
########################################
## <summary>
+## Read init fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ read_fifo_files_pattern($1, init_t, init_t)
+')
+
+########################################
+## <summary>
## Ptrace init
## </summary>
## <param name="domain">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>
> auth_dontaudit_read_shadow(readahead_t)
>
> +init_read_fifo_file(readahead_t)
> init_use_fds(readahead_t)
> init_use_script_ptys(readahead_t)
> init_getattr_initctl(readahead_t)
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>
> ########################################
> ## <summary>
> +## Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> + gen_require(`
> + attribute init_t;
> + ')
> +
> + read_fifo_files_pattern($1, init_t, init_t)
> +')
no need to for pattern here use: allow $1 init_t:fifo_file
r_fifo_file_perms;
init_t is not an attribute (its a type)
> +
> +########################################
> +## <summary>
> ## Ptrace init
> ## </summary>
> ## <param name="domain">
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
LR4AnRlYgmCf/My41QotF2VIfAnehq8D
=F4q9
-----END PGP SIGNATURE-----
On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> > --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >
> > auth_dontaudit_read_shadow(readahead_t)
> >
> > +init_read_fifo_file(readahead_t)
> > init_use_fds(readahead_t)
> > init_use_script_ptys(readahead_t)
> > init_getattr_initctl(readahead_t)
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> > --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
> > @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >
> > ########################################
> > ## <summary>
> > +## Read init fifo file.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`init_read_fifo_file',`
> > + gen_require(`
> > + attribute init_t;
> > + ')
> > +
> > + read_fifo_files_pattern($1, init_t, init_t)
> > +')
>
> no need to for pattern here use: allow $1 init_t:fifo_file
> r_fifo_file_perms;
Ok will be changed.
> init_t is not an attribute (its a type)
Hmm. That's too true, good point. But elsewhere in the same interface
file it's being declared the same way (see init_ptrace() and
init_read_state()). I think I just copied off bits from there, that's
why... What should be done to the rest of occurrences then ?
> > +
> > +########################################
> > +## <summary>
> > ## Ptrace init
> > ## </summary>
> > ## <param name="domain">
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
> LR4AnRlYgmCf/My41QotF2VIfAnehq8D
> =F4q9
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 04:12 PM, Guido Trentalancia wrote:
> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>
>>> auth_dontaudit_read_shadow(readahead_t)
>>>
>>> +init_read_fifo_file(readahead_t)
>>> init_use_fds(readahead_t)
>>> init_use_script_ptys(readahead_t)
>>> init_getattr_initctl(readahead_t)
>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Read init fifo file.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_read_fifo_file',`
>>> + gen_require(`
>>> + attribute init_t;
>>> + ')
>>> +
>>> + read_fifo_files_pattern($1, init_t, init_t)
>>> +')
>>
>> no need to for pattern here use: allow $1 init_t:fifo_file
>> r_fifo_file_perms;
>
> Ok will be changed.
>
>> init_t is not an attribute (its a type)
>
> Hmm. That's too true, good point. But elsewhere in the same interface
> file it's being declared the same way (see init_ptrace() and
> init_read_state()). I think I just copied off bits from there, that's
> why... What should be done to the rest of occurrences then ?
That should be analysed and determined in each of the remaining occurrences.
You may well have stumbled upon a bug.
>
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Ptrace init
>>> ## </summary>
>>> ## <param name="domain">
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.16 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
>> LR4AnRlYgmCf/My41QotF2VIfAnehq8D
>> =F4q9
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09l3cACgkQMlxVo39jgT8kkQCfUoWNoXKmT/lP/nJgb+fLwnk0
3JMAni6n1wBEpZOVq6g0hodqDou9oc9A
=nNQN
-----END PGP SIGNATURE-----
Hi Dominick,
just a quick question on one of your comments...
On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> > --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >
> > auth_dontaudit_read_shadow(readahead_t)
> >
> > +init_read_fifo_file(readahead_t)
> > init_use_fds(readahead_t)
> > init_use_script_ptys(readahead_t)
> > init_getattr_initctl(readahead_t)
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> > --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
> > @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >
> > ########################################
> > ## <summary>
> > +## Read init fifo file.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`init_read_fifo_file',`
> > + gen_require(`
> > + attribute init_t;
> > + ')
> > +
> > + read_fifo_files_pattern($1, init_t, init_t)
> > +')
>
> no need to for pattern here use: allow $1 init_t:fifo_file
> r_fifo_file_perms;
Why should we avoid the use of the pattern here ? It gives better
readability and also it grants permission to search the parent dir.
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> Hi Dominick,
>
> just a quick question on one of your comments...
>
> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>
>>> auth_dontaudit_read_shadow(readahead_t)
>>>
>>> +init_read_fifo_file(readahead_t)
>>> init_use_fds(readahead_t)
>>> init_use_script_ptys(readahead_t)
>>> init_getattr_initctl(readahead_t)
>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Read init fifo file.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_read_fifo_file',`
>>> + gen_require(`
>>> + attribute init_t;
>>> + ')
>>> +
>>> + read_fifo_files_pattern($1, init_t, init_t)
>>> +')
>>
>> no need to for pattern here use: allow $1 init_t:fifo_file
>> r_fifo_file_perms;
>
> Why should we avoid the use of the pattern here ? It gives better
> readability and also it grants permission to search the parent dir.
I guess you may indeed be right here. I assume that this pipe is
somewhere in /proc in an init_t directory? If that is so then the caller
indeed needs to traverse an init_t directory to get to the pipe i guess,
and in that case the pattern makes good sense.
looking at similar examples thought, like
> interface(`init_rw_script_pipes',`
> gen_require(`
> type initrc_t;
> ')
>
> allow $1 initrc_t:fifo_file { read write };
> ')
And
> interface(`init_write_script_pipes',`
> gen_require(`
> type initrc_t;
> ')
>
> allow $1 initrc_t:fifo_file write;
> ')
It appears that searching domain_type directories is not applicable here.
Can you reproduce this (and in particular the caller searching init_t
directories?)
>
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0/ExcACgkQMlxVo39jgT+5NACdHO/ZysRYMxLjU0J1+8NcWT2u
nDgAn0Q4PNYqudn97HQFxHh386VDiCeV
=HaKz
-----END PGP SIGNATURE-----
Hello Dominick !
On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> > Hi Dominick,
> >
> > just a quick question on one of your comments...
> >
> > On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> >>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> >>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>
> >>> auth_dontaudit_read_shadow(readahead_t)
> >>>
> >>> +init_read_fifo_file(readahead_t)
> >>> init_use_fds(readahead_t)
> >>> init_use_script_ptys(readahead_t)
> >>> init_getattr_initctl(readahead_t)
> >>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> >>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
> >>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>
> >>> ########################################
> >>> ## <summary>
> >>> +## Read init fifo file.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +## <summary>
> >>> +## Domain allowed access.
> >>> +## </summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`init_read_fifo_file',`
> >>> + gen_require(`
> >>> + attribute init_t;
> >>> + ')
> >>> +
> >>> + read_fifo_files_pattern($1, init_t, init_t)
> >>> +')
> >>
> >> no need to for pattern here use: allow $1 init_t:fifo_file
> >> r_fifo_file_perms;
> >
> > Why should we avoid the use of the pattern here ? It gives better
> > readability and also it grants permission to search the parent dir.
>
> I guess you may indeed be right here. I assume that this pipe is
> somewhere in /proc in an init_t directory? If that is so then the caller
> indeed needs to traverse an init_t directory to get to the pipe i guess,
> and in that case the pattern makes good sense.
>
> looking at similar examples thought, like
>
> > interface(`init_rw_script_pipes',`
> > gen_require(`
> > type initrc_t;
> > ')
> >
> > allow $1 initrc_t:fifo_file { read write };
> > ')
>
> And
>
> > interface(`init_write_script_pipes',`
> > gen_require(`
> > type initrc_t;
> > ')
> >
> > allow $1 initrc_t:fifo_file write;
> > ')
>
> It appears that searching domain_type directories is not applicable here.
>
> Can you reproduce this (and in particular the caller searching init_t
> directories?)
Yes, of course I am quite sure it can be reproduced by just starting up
readahead. Here is the log:
type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>> Hi Dominick,
>>>
>>> just a quick question on one of your comments...
>>>
>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>
>>>>> auth_dontaudit_read_shadow(readahead_t)
>>>>>
>>>>> +init_read_fifo_file(readahead_t)
>>>>> init_use_fds(readahead_t)
>>>>> init_use_script_ptys(readahead_t)
>>>>> init_getattr_initctl(readahead_t)
>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>
>>>>> ########################################
>>>>> ## <summary>
>>>>> +## Read init fifo file.
>>>>> +## </summary>
>>>>> +## <param name="domain">
>>>>> +## <summary>
>>>>> +## Domain allowed access.
>>>>> +## </summary>
>>>>> +## </param>
>>>>> +#
>>>>> +interface(`init_read_fifo_file',`
>>>>> + gen_require(`
>>>>> + attribute init_t;
>>>>> + ')
>>>>> +
>>>>> + read_fifo_files_pattern($1, init_t, init_t)
>>>>> +')
>>>>
>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>> r_fifo_file_perms;
>>>
>>> Why should we avoid the use of the pattern here ? It gives better
>>> readability and also it grants permission to search the parent dir.
>>
>> I guess you may indeed be right here. I assume that this pipe is
>> somewhere in /proc in an init_t directory? If that is so then the caller
>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>> and in that case the pattern makes good sense.
>>
>> looking at similar examples thought, like
>>
>>> interface(`init_rw_script_pipes',`
>>> gen_require(`
>>> type initrc_t;
>>> ')
>>>
>>> allow $1 initrc_t:fifo_file { read write };
>>> ')
>>
>> And
>>
>>> interface(`init_write_script_pipes',`
>>> gen_require(`
>>> type initrc_t;
>>> ')
>>>
>>> allow $1 initrc_t:fifo_file write;
>>> ')
>>
>> It appears that searching domain_type directories is not applicable here.
>>
>> Can you reproduce this (and in particular the caller searching init_t
>> directories?)
>
> Yes, of course I am quite sure it can be reproduced by just starting up
> readahead. Here is the log:
>
> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
Yes but it does not need to search any init_t type directories from what
i can see in your avc denial above.
That is why i suggest you use:
allow $1 init_t:fifo_file r_fifo_file_perms;
instead.
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0/FtIACgkQMlxVo39jgT+afwCfRAz/0CBOTPYTIS40CAQAW8pZ
vUcAn1tadnK+wgIXcLyF/72NHlJ2TWgW
=Y49m
-----END PGP SIGNATURE-----
Hello Dominick !
On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote:
> On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> >
> > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> >>> Hi Dominick,
> >>>
> >>> just a quick question on one of your comments...
> >>>
> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>>>
> >>>>> auth_dontaudit_read_shadow(readahead_t)
> >>>>>
> >>>>> +init_read_fifo_file(readahead_t)
> >>>>> init_use_fds(readahead_t)
> >>>>> init_use_script_ptys(readahead_t)
> >>>>> init_getattr_initctl(readahead_t)
> >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
> >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>>>
> >>>>> ########################################
> >>>>> ## <summary>
> >>>>> +## Read init fifo file.
> >>>>> +## </summary>
> >>>>> +## <param name="domain">
> >>>>> +## <summary>
> >>>>> +## Domain allowed access.
> >>>>> +## </summary>
> >>>>> +## </param>
> >>>>> +#
> >>>>> +interface(`init_read_fifo_file',`
> >>>>> + gen_require(`
> >>>>> + attribute init_t;
> >>>>> + ')
> >>>>> +
> >>>>> + read_fifo_files_pattern($1, init_t, init_t)
> >>>>> +')
> >>>>
> >>>> no need to for pattern here use: allow $1 init_t:fifo_file
> >>>> r_fifo_file_perms;
> >>>
> >>> Why should we avoid the use of the pattern here ? It gives better
> >>> readability and also it grants permission to search the parent dir.
> >>
> >> I guess you may indeed be right here. I assume that this pipe is
> >> somewhere in /proc in an init_t directory? If that is so then the caller
> >> indeed needs to traverse an init_t directory to get to the pipe i guess,
> >> and in that case the pattern makes good sense.
> >> It appears that searching domain_type directories is not applicable here.
> >>
> >> Can you reproduce this (and in particular the caller searching init_t
> >> directories?)
> >
> > Yes, of course I am quite sure it can be reproduced by just starting up
> > readahead. Here is the log:
> >
> > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
> > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
> > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>
> Yes but it does not need to search any init_t type directories from what
> i can see in your avc denial above.
>
> That is why i suggest you use:
>
> allow $1 init_t:fifo_file r_fifo_file_perms;
>
> instead.
It was just to keep the interface more generic and eventually re-usable.
But I have now changed the interface to:
allow $1 init_t:fifo_file read_fifo_file_perms;
so it's a bit more optimised and tight.
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/25/2011 07:39 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
>>> Hello Dominick !
>>>
>>> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>>>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>>>> Hi Dominick,
>>>>>
>>>>> just a quick question on one of your comments...
>>>>>
>>>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>>>
>>>>>>> auth_dontaudit_read_shadow(readahead_t)
>>>>>>>
>>>>>>> +init_read_fifo_file(readahead_t)
>>>>>>> init_use_fds(readahead_t)
>>>>>>> init_use_script_ptys(readahead_t)
>>>>>>> init_getattr_initctl(readahead_t)
>>>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>>>
>>>>>>> ########################################
>>>>>>> ## <summary>
>>>>>>> +## Read init fifo file.
>>>>>>> +## </summary>
>>>>>>> +## <param name="domain">
>>>>>>> +## <summary>
>>>>>>> +## Domain allowed access.
>>>>>>> +## </summary>
>>>>>>> +## </param>
>>>>>>> +#
>>>>>>> +interface(`init_read_fifo_file',`
>>>>>>> + gen_require(`
>>>>>>> + attribute init_t;
>>>>>>> + ')
>>>>>>> +
>>>>>>> + read_fifo_files_pattern($1, init_t, init_t)
>>>>>>> +')
>>>>>>
>>>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>>>> r_fifo_file_perms;
>>>>>
>>>>> Why should we avoid the use of the pattern here ? It gives better
>>>>> readability and also it grants permission to search the parent dir.
>>>>
>>>> I guess you may indeed be right here. I assume that this pipe is
>>>> somewhere in /proc in an init_t directory? If that is so then the caller
>>>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>>>> and in that case the pattern makes good sense.
>
>>>> It appears that searching domain_type directories is not applicable here.
>>>>
>>>> Can you reproduce this (and in particular the caller searching init_t
>>>> directories?)
>>>
>>> Yes, of course I am quite sure it can be reproduced by just starting up
>>> readahead. Here is the log:
>>>
>>> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
>>> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
>>> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>
>> Yes but it does not need to search any init_t type directories from what
>> i can see in your avc denial above.
>>
>> That is why i suggest you use:
>>
>> allow $1 init_t:fifo_file r_fifo_file_perms;
>>
>> instead.
>
> It was just to keep the interface more generic and eventually re-usable.
> But I have now changed the interface to:
I understand, and allowing a domain to search a directory isnt a big
deal. Yet i learned from experience. I mean there is a "pattern" in
refpolicy, and i almost never see the read_fifo_file_pattern for domain
types used so that is the reason for my suggestion. A nitpick but i had
to mention it anyway. Trying to keep things uniform.
>
> allow $1 init_t:fifo_file read_fifo_file_perms;
>
> so it's a bit more optimised and tight.
>
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0/Gp0ACgkQMlxVo39jgT816QCeOVveRof++hSSxAE0D9io4rKT
KWAAnjYOfbm/nj+8t1xn9/CzN1JgRsHk
=O37L
-----END PGP SIGNATURE-----
On Tue, 25/01/2011 at 19.46 +0100, Dominick Grift wrote:
> On 01/25/2011 07:39 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> >
> > It was just to keep the interface more generic and eventually re-usable.
> > But I have now changed the interface to:
>
> I understand, and allowing a domain to search a directory isnt a big
> deal. Yet i learned from experience. I mean there is a "pattern" in
> refpolicy, and i almost never see the read_fifo_file_pattern for domain
> types used so that is the reason for my suggestion. A nitpick but i had
> to mention it anyway. Trying to keep things uniform.
Yes, one of my first aims is to stay definitely uniform unless there is
really a good reason to do things differently because of a possible
improvement which brings some good advantages.
Splitting up dbus:send_msg permissions (to be uni-directional from each
module) was one thing that I thought it could improve the actual
situation for a good reason. But nobody else commented on that, so that
thing is still pending... You didn't manage to convince me yet of your
different opinion, but we'll see ;-)
> > allow $1 init_t:fifo_file read_fifo_file_perms;
> >
> > so it's a bit more optimised and tight.
Regards,
Guido
On 1/25/2011 1:26 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>> Hi Dominick,
>>>
>>> just a quick question on one of your comments...
>>>
>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>
>>>>> auth_dontaudit_read_shadow(readahead_t)
>>>>>
>>>>> +init_read_fifo_file(readahead_t)
>>>>> init_use_fds(readahead_t)
>>>>> init_use_script_ptys(readahead_t)
>>>>> init_getattr_initctl(readahead_t)
>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>
>>>>> ########################################
>>>>> ##<summary>
>>>>> +## Read init fifo file.
>>>>> +##</summary>
>>>>> +##<param name="domain">
>>>>> +##<summary>
>>>>> +## Domain allowed access.
>>>>> +##</summary>
>>>>> +##</param>
>>>>> +#
>>>>> +interface(`init_read_fifo_file',`
>>>>> + gen_require(`
>>>>> + attribute init_t;
>>>>> + ')
>>>>> +
>>>>> + read_fifo_files_pattern($1, init_t, init_t)
>>>>> +')
>>>>
>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>> r_fifo_file_perms;
>>>
>>> Why should we avoid the use of the pattern here ? It gives better
>>> readability and also it grants permission to search the parent dir.
>>
>> I guess you may indeed be right here. I assume that this pipe is
>> somewhere in /proc in an init_t directory? If that is so then the caller
>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>> and in that case the pattern makes good sense.
>>
>> looking at similar examples thought, like
>>
>>> interface(`init_rw_script_pipes',`
>>> gen_require(`
>>> type initrc_t;
>>> ')
>>>
>>> allow $1 initrc_t:fifo_file { read write };
>>> ')
>>
>> And
>>
>>> interface(`init_write_script_pipes',`
>>> gen_require(`
>>> type initrc_t;
>>> ')
>>>
>>> allow $1 initrc_t:fifo_file write;
>>> ')
>>
>> It appears that searching domain_type directories is not applicable here.
>>
>> Can you reproduce this (and in particular the caller searching init_t
>> directories?)
>
> Yes, of course I am quite sure it can be reproduced by just starting up
> readahead. Here is the log:
>
> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
The read_fifo_file_perms is appropriate instead of the pattern because
this is an unnamed pipe (note the pipe=). There is no dir to search.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 1/24/2011 10:15 AM, Dominick Grift wrote:
> On 01/24/2011 04:12 PM, Guido Trentalancia wrote:
>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>
>>>> auth_dontaudit_read_shadow(readahead_t)
>>>>
>>>> +init_read_fifo_file(readahead_t)
>>>> init_use_fds(readahead_t)
>>>> init_use_script_ptys(readahead_t)
>>>> init_getattr_initctl(readahead_t)
>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>
>>>> ########################################
>>>> ##<summary>
>>>> +## Read init fifo file.
>>>> +##</summary>
>>>> +##<param name="domain">
>>>> +##<summary>
>>>> +## Domain allowed access.
>>>> +##</summary>
>>>> +##</param>
>>>> +#
>>>> +interface(`init_read_fifo_file',`
>>>> + gen_require(`
>>>> + attribute init_t;
>>>> + ')
>>>> +
>>>> + read_fifo_files_pattern($1, init_t, init_t)
>>>> +')
>>>
>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>> r_fifo_file_perms;
>>
>> Ok will be changed.
>>
>>> init_t is not an attribute (its a type)
>>
>> Hmm. That's too true, good point. But elsewhere in the same interface
>> file it's being declared the same way (see init_ptrace() and
>> init_read_state()). I think I just copied off bits from there, that's
>> why... What should be done to the rest of occurrences then ?
>
> That should be analysed and determined in each of the remaining occurrences.
>
> You may well have stumbled upon a bug.
Yep, there are two interfaces with this bug. I have fixed them in git
master.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hello Christopher !
On Mon, 31/01/2011 at 14.03 -0500, Christopher J. PeBenito wrote:
> On 1/25/2011 1:26 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> >
> > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> >>> Hi Dominick,
> >>>
> >>> just a quick question on one of your comments...
> >>>
> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>>>
> >>>>> auth_dontaudit_read_shadow(readahead_t)
> >>>>>
> >>>>> +init_read_fifo_file(readahead_t)
> >>>>> init_use_fds(readahead_t)
> >>>>> init_use_script_ptys(readahead_t)
> >>>>> init_getattr_initctl(readahead_t)
> >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
> >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>>>
> >>>>> ########################################
> >>>>> ##<summary>
> >>>>> +## Read init fifo file.
> >>>>> +##</summary>
> >>>>> +##<param name="domain">
> >>>>> +##<summary>
> >>>>> +## Domain allowed access.
> >>>>> +##</summary>
> >>>>> +##</param>
> >>>>> +#
> >>>>> +interface(`init_read_fifo_file',`
> >>>>> + gen_require(`
> >>>>> + attribute init_t;
> >>>>> + ')
> >>>>> +
> >>>>> + read_fifo_files_pattern($1, init_t, init_t)
> >>>>> +')
> >>>>
> >>>> no need to for pattern here use: allow $1 init_t:fifo_file
> >>>> r_fifo_file_perms;
> >>>
> >>> Why should we avoid the use of the pattern here ? It gives better
> >>> readability and also it grants permission to search the parent dir.
> >>
> >> I guess you may indeed be right here. I assume that this pipe is
> >> somewhere in /proc in an init_t directory? If that is so then the caller
> >> indeed needs to traverse an init_t directory to get to the pipe i guess,
> >> and in that case the pattern makes good sense.
> >>
> >> looking at similar examples thought, like
> >>
> >>> interface(`init_rw_script_pipes',`
> >>> gen_require(`
> >>> type initrc_t;
> >>> ')
> >>>
> >>> allow $1 initrc_t:fifo_file { read write };
> >>> ')
> >>
> >> And
> >>
> >>> interface(`init_write_script_pipes',`
> >>> gen_require(`
> >>> type initrc_t;
> >>> ')
> >>>
> >>> allow $1 initrc_t:fifo_file write;
> >>> ')
> >>
> >> It appears that searching domain_type directories is not applicable here.
> >>
> >> Can you reproduce this (and in particular the caller searching init_t
> >> directories?)
> >
> > Yes, of course I am quite sure it can be reproduced by just starting up
> > readahead. Here is the log:
> >
> > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
> > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
> > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>
> The read_fifo_file_perms is appropriate instead of the pattern because
> this is an unnamed pipe (note the pipe=). There is no dir to search.
Thanks for confirming.
Do you also confirm the attribute versus type issue regarding init_t (at
lines 940 and 961 of the existing policy/modules/system/init.if and in
the new interface that I had created) ?
Dominick spotted that out and now I also believe that is a typo.
If the latter is confirmed, my worry is how comes nothing in the build
process (or any subsequent step) failed ?
Regards,
Guido