This patch allows mount to use kernel file descriptors.
diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
--- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
+++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
@@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+kernel_use_fds(mount_t)
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
On 02/16/11 01:42, Guido Trentalancia wrote:
> This patch allows mount to use kernel file descriptors.
>
> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>
> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>
> +kernel_use_fds(mount_t)
> kernel_read_system_state(mount_t)
> kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
How did you come across this?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:42, Guido Trentalancia wrote:
> > This patch allows mount to use kernel file descriptors.
> >
> > diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> > --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
> > +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
> > @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >
> > files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >
> > +kernel_use_fds(mount_t)
> > kernel_read_system_state(mount_t)
> > kernel_read_kernel_sysctls(mount_t)
> > kernel_dontaudit_getattr_core_if(mount_t)
>
> How did you come across this?
type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
comm="mount" path="/dev/pts/0" dev=devpts ino=3
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=fd
Regards,
Guido
On 02/28/11 14:16, Guido Trentalancia wrote:
> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>> This patch allows mount to use kernel file descriptors.
>>>
>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>
>>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>
>>> +kernel_use_fds(mount_t)
>>> kernel_read_system_state(mount_t)
>>> kernel_read_kernel_sysctls(mount_t)
>>> kernel_dontaudit_getattr_core_if(mount_t)
>>
>> How did you come across this?
>
> type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
> comm="mount" path="/dev/pts/0" dev=devpts ino=3
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
Can you provide more detail? What was happening on the system?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
> On 02/28/11 14:16, Guido Trentalancia wrote:
> > On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:42, Guido Trentalancia wrote:
> >>> This patch allows mount to use kernel file descriptors.
> >>>
> >>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> >>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
> >>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
> >>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >>>
> >>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >>>
> >>> +kernel_use_fds(mount_t)
> >>> kernel_read_system_state(mount_t)
> >>> kernel_read_kernel_sysctls(mount_t)
> >>> kernel_dontaudit_getattr_core_if(mount_t)
> >>
> >> How did you come across this?
> >
> > type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
> > comm="mount" path="/dev/pts/0" dev=devpts ino=3
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>
> Can you provide more detail? What was happening on the system?
Unfortunately I cannot provide more details now. I believe it's
happening at boot-up. I am also quite sure it's not critical. And the
only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
from Fedora (will be obsoleted soon by the way).
You could just drop it for the time being...
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
>> On 02/28/11 14:16, Guido Trentalancia wrote:
>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>>>> This patch allows mount to use kernel file descriptors.
>>>>>
>>>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
>>>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>>>
>>>>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>>>
>>>>> +kernel_use_fds(mount_t)
>>>>> kernel_read_system_state(mount_t)
>>>>> kernel_read_kernel_sysctls(mount_t)
>>>>> kernel_dontaudit_getattr_core_if(mount_t)
>>>>
>>>> How did you come across this?
>>>
>>> type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
>>> scontext=system_u:system_r:mount_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>>
>> Can you provide more detail? What was happening on the system?
>
> Unfortunately I cannot provide more details now. I believe it's
> happening at boot-up. I am also quite sure it's not critical. And the
> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> from Fedora (will be obsoleted soon by the way).
>
> You could just drop it for the time being...
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
passes it to init, which passes it to initrc_t which passes it to
mount_t. (init_t could pass it directly to mount_t).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1ulXkACgkQrlYvE4MpobNlJACgjjGcF1kHsBNjZ2ns4Xz6HyRD
5J4AoNqkmm3Sx++tyOqpVORdXkL39sN6
=8pzm
-----END PGP SIGNATURE-----
On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote:
> On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
> > On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
> >> On 02/28/11 14:16, Guido Trentalancia wrote:
> >>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> >>>> On 02/16/11 01:42, Guido Trentalancia wrote:
> >>>>> This patch allows mount to use kernel file descriptors.
> >>>>>
> >>>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> >>>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
> >>>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
> >>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >>>>>
> >>>>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >>>>>
> >>>>> +kernel_use_fds(mount_t)
> >>>>> kernel_read_system_state(mount_t)
> >>>>> kernel_read_kernel_sysctls(mount_t)
> >>>>> kernel_dontaudit_getattr_core_if(mount_t)
> >>>>
> >>>> How did you come across this?
> >>>
> >>> type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
> >>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
> >>> scontext=system_u:system_r:mount_t:s0
> >>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
> >>
> >> Can you provide more detail? What was happening on the system?
> >
> > Unfortunately I cannot provide more details now. I believe it's
> > happening at boot-up. I am also quite sure it's not critical. And the
> > only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> > from Fedora (will be obsoleted soon by the way).
> >
> > You could just drop it for the time being...
> >
> > Regards,
> >
> > Guido
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
> passes it to init, which passes it to initrc_t which passes it to
> mount_t. (init_t could pass it directly to mount_t).
And mount_t uses it to print out messages such as "mount
point /proc/bus/usb does not exist" very early during boot-up. Does this
sound like a possible end of the story ?
Regards,
Guido
On 3/2/2011 2:47 PM, Guido Trentalancia wrote:
> On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote:
>> On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
>>> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
>>>> On 02/28/11 14:16, Guido Trentalancia wrote:
>>>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>>>>>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>>>>>> This patch allows mount to use kernel file descriptors.
>>>>>>>
>>>>>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>>>>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
>>>>>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
>>>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>>>>>
>>>>>>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>>>>>
>>>>>>> +kernel_use_fds(mount_t)
>>>>>>> kernel_read_system_state(mount_t)
>>>>>>> kernel_read_kernel_sysctls(mount_t)
>>>>>>> kernel_dontaudit_getattr_core_if(mount_t)
>>>>>>
>>>>>> How did you come across this?
>>>>>
>>>>> type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
>>>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
>>>>> scontext=system_u:system_r:mount_t:s0
>>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>>>>
>>>> Can you provide more detail? What was happening on the system?
>>>
>>> Unfortunately I cannot provide more details now. I believe it's
>>> happening at boot-up. I am also quite sure it's not critical. And the
>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
>>> from Fedora (will be obsoleted soon by the way).
>>>
>>> You could just drop it for the time being...
>>
>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
>> passes it to init, which passes it to initrc_t which passes it to
>> mount_t. (init_t could pass it directly to mount_t).
>
> And mount_t uses it to print out messages such as "mount
> point /proc/bus/usb does not exist" very early during boot-up. Does this
> sound like a possible end of the story ?
This scenario doesn't sound right to me. Why would the kernel be using
a pty? I would expect it to be using /dev/console.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/03/2011 08:39 AM, Christopher J. PeBenito wrote:
> On 3/2/2011 2:47 PM, Guido Trentalancia wrote:
>> On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote:
>>> On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
>>>> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
>>>>> On 02/28/11 14:16, Guido Trentalancia wrote:
>>>>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>>>>>>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>>>>>>> This patch allows mount to use kernel file descriptors.
>>>>>>>>
>>>>>>>> diff -pruN
>>>>>>>> refpolicy-git-15022011-test/policy/modules/system/mount.te
>>>>>>>> refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>>>>>>> ---
>>>>>>>> refpolicy-git-15022011-test/policy/modules/system/mount.te
>>>>>>>> 2011-02-16 02:34:33.253189215 +0100
>>>>>>>> +++
>>>>>>>> refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16
>>>>>>>> 03:54:18.732023725 +0100
>>>>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>>>>>>
>>>>>>>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>>>>>>
>>>>>>>> +kernel_use_fds(mount_t)
>>>>>>>> kernel_read_system_state(mount_t)
>>>>>>>> kernel_read_kernel_sysctls(mount_t)
>>>>>>>> kernel_dontaudit_getattr_core_if(mount_t)
>>>>>>>
>>>>>>> How did you come across this?
>>>>>>
>>>>>> type=1400 audit(1295758153.958:3): avc: denied { use } for
>>>>>> pid=1429
>>>>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
>>>>>> scontext=system_u:system_r:mount_t:s0
>>>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>>>>>
>>>>> Can you provide more detail? What was happening on the system?
>>>>
>>>> Unfortunately I cannot provide more details now. I believe it's
>>>> happening at boot-up. I am also quite sure it's not critical. And the
>>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
>>>> from Fedora (will be obsoleted soon by the way).
>>>>
>>>> You could just drop it for the time being...
>>>
>>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
>>> passes it to init, which passes it to initrc_t which passes it to
>>> mount_t. (init_t could pass it directly to mount_t).
>>
>> And mount_t uses it to print out messages such as "mount
>> point /proc/bus/usb does not exist" very early during boot-up. Does this
>> sound like a possible end of the story ?
>
> This scenario doesn't sound right to me. Why would the kernel be using
> a pty? I would expect it to be using /dev/console.
>
Maybe to talk to plymouth?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1vnFEACgkQrlYvE4MpobOo+ACgjM1WxvUhnyx6Fvuvo4x/4XVA
oakAmwdoLNxGbf2QmV+Lv0+Hz0GQ7KwB
=OgrZ
-----END PGP SIGNATURE-----
On Fri, 4 Mar 2011, Daniel J Walsh <[email protected]> wrote:
> >>>>>>>> +kernel_use_fds(mount_t)
> >>>>
> >>>> Unfortunately I cannot provide more details now. I believe it's
> >>>> happening at boot-up. I am also quite sure it's not critical. And the
> >>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> >>>> from Fedora (will be obsoleted soon by the way).
> >>>>
> >>>> You could just drop it for the time being...
> >>>
> >>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
> >>> passes it to init, which passes it to initrc_t which passes it to
> >>> mount_t. (init_t could pass it directly to mount_t).
> >>
> >
> > This scenario doesn't sound right to me. Why would the kernel be using
> > a pty? I would expect it to be using /dev/console.
Sounds to me like the pty is being created before the policy is loaded.
Everything that is done before the first policy load is run as "kernel" which
becomes "kernel_t".
So the question is, why is that pty being leaked or why is a pty from before
policy load hanging around until afterwards?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/