2011-02-18 16:00:38

by mgrepl

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version

http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch

* dmesg reads /proc/version
* dmesg needs to access to abrt files


2011-02-19 05:07:03

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version

Hello Miroslav !

On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>
> * dmesg reads /proc/version
> * dmesg needs to access to abrt files

I couldn't find any reference in the source code for dmesg from
util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
reads /proc/version".

Nor I have any indication from the audit logs on the test system I am
running that dmesg ever required that permission.

Only mount needs to stat() /proc/version.

So, where did you get that from ?

And I am not using abrt, but to be honest, I could not find any
reference to abrt files access either.

Regards,

Guido

2011-02-21 15:14:21

by mgrepl

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version

On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
> Hello Miroslav !
>
> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>>
>> * dmesg reads /proc/version
>> * dmesg needs to access to abrt files
> I couldn't find any reference in the source code for dmesg from
> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
> reads /proc/version".
>
> Nor I have any indication from the audit logs on the test system I am
> running that dmesg ever required that permission.
>
> Only mount needs to stat() /proc/version.
>
> So, where did you get that from ?
There was a bug saying

type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405
comm="dmesg" path="/proc/version" dev=proc ino=4026532016
scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file
> And I am not using abrt, but to be honest, I could not find any
> reference to abrt files access either.
>
> Regards,
>
> Guido
>

2011-02-21 15:08:55

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version

Good afternoon Miroslav !

On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote:
> On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
> > Hello Miroslav !
> >
> > On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
> >> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
> >>
> >> * dmesg reads /proc/version
> >> * dmesg needs to access to abrt files
> > I couldn't find any reference in the source code for dmesg from
> > util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
> > reads /proc/version".
> >
> > Nor I have any indication from the audit logs on the test system I am
> > running that dmesg ever required that permission.
> >
> > Only mount needs to stat() /proc/version.
> >
> > So, where did you get that from ?
> There was a bug saying
>
> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405
> comm="dmesg" path="/proc/version" dev=proc ino=4026532016
> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
> tclass=file

That's not a bug. It's an AVC denial. In other words, SELinux is
preventing some sort of operation.

It still sounds very odd to me.

In any case, I got curious about this issue and I went looking at
Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am
quite sure that such operation is not in the source code for dmesg.

Look by yourself, the code is so short ! It's only about calls to
klogctl().

Hope it helps. But let's quit this topic now, because I believe it is
off-theme for this list.

Regards,

Guido

2011-02-21 15:33:05

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2011 10:08 AM, Guido Trentalancia wrote:
> Good afternoon Miroslav !
>
> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote:
>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
>>> Hello Miroslav !
>>>
>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>>>>
>>>> * dmesg reads /proc/version
>>>> * dmesg needs to access to abrt files
>>> I couldn't find any reference in the source code for dmesg from
>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
>>> reads /proc/version".
>>>
>>> Nor I have any indication from the audit logs on the test system I am
>>> running that dmesg ever required that permission.
>>>
>>> Only mount needs to stat() /proc/version.
>>>
>>> So, where did you get that from ?
>> There was a bug saying
>>
>> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405
>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016
>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
>> tclass=file
>
> That's not a bug. It's an AVC denial. In other words, SELinux is
> preventing some sort of operation.
>
> It still sounds very odd to me.
>
> In any case, I got curious about this issue and I went looking at
> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am
> quite sure that such operation is not in the source code for dmesg.
>
> Look by yourself, the code is so short ! It's only about calls to
> klogctl().
>
> Hope it helps. But let's quit this topic now, because I believe it is
> off-theme for this list.
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

There is a possiblity that the app/domain that executed dmesg, leaked an
open file descriptor for read to dmesg, and that is being checked on exec.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ihbEACgkQrlYvE4MpobOEGgCgxoT+dRkO85ax4lb59k/u5/4I
9G8AoIW0OZRT/sesrsbYtHExJNkUWvoP
=7ufE
-----END PGP SIGNATURE-----

2011-02-28 14:43:21

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version

On 02/21/11 10:33, Daniel J Walsh wrote:
> On 02/21/2011 10:08 AM, Guido Trentalancia wrote:
>> Good afternoon Miroslav !
>
>> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote:
>>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
>>>> Hello Miroslav !
>>>>
>>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
>>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>>>>>
>>>>> * dmesg reads /proc/version
>>>>> * dmesg needs to access to abrt files
>>>> I couldn't find any reference in the source code for dmesg from
>>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
>>>> reads /proc/version".
>>>>
>>>> Nor I have any indication from the audit logs on the test system I am
>>>> running that dmesg ever required that permission.
>>>>
>>>> Only mount needs to stat() /proc/version.
>>>>
>>>> So, where did you get that from ?
>>> There was a bug saying
>>>
>>> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405
>>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016
>>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
>>> tclass=file
>
>> That's not a bug. It's an AVC denial. In other words, SELinux is
>> preventing some sort of operation.
>
>> It still sounds very odd to me.
>
>> In any case, I got curious about this issue and I went looking at
>> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am
>> quite sure that such operation is not in the source code for dmesg.
>
>> Look by yourself, the code is so short ! It's only about calls to
>> klogctl().
>
>> Hope it helps. But let's quit this topic now, because I believe it is
>> off-theme for this list.
>
> There is a possiblity that the app/domain that executed dmesg, leaked an
> open file descriptor for read to dmesg, and that is being checked on exec.

There is also the possibility that its a glibc thing.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com