---
portage.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/portage.if b/portage.if
index c0c7e9b..77bc1d2 100644
--- a/portage.if
+++ b/portage.if
@@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
dontaudit $1 portage_tmp_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## portage ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_use_ptys',`
+ gen_require(`
+ type portage_devpts_t;
+ ')
+
+ dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
+ term_dontaudit_use_ptmx($1)
+')
--
2.14.1
On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> ---
> portage.if | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/portage.if b/portage.if
> index c0c7e9b..77bc1d2 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>
> dontaudit $1 portage_tmp_t:file rw_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and write
> +## portage ptys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`portage_dontaudit_use_ptys',`
> + gen_require(`
> + type portage_devpts_t;
> + ')
> +
> + dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
> + term_dontaudit_use_ptmx($1)
I don't think this ptmx dontaudit applies here, especially if the pty is
inherited.
> +')
>
--
Chris PeBenito
On Tue, 12 Sep 2017 19:08:37 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:
> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> > ---
> > portage.if | 20 ++++++++++++++++++++
> > 1 file changed, 20 insertions(+)
> >
> > diff --git a/portage.if b/portage.if
> > index c0c7e9b..77bc1d2 100644
> > --- a/portage.if
> > +++ b/portage.if
> > @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
> >
> > dontaudit $1 portage_tmp_t:file rw_file_perms;
> > ')
> > +
> > +########################################
> > +## <summary>
> > +## Do not audit attempts to read and write
> > +## portage ptys.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to not audit.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`portage_dontaudit_use_ptys',`
> > + gen_require(`
> > + type portage_devpts_t;
> > + ')
> > +
> > + dontaudit $1 portage_devpts_t:chr_file
> > rw_inherited_term_perms;
> > + term_dontaudit_use_ptmx($1)
>
> I don't think this ptmx dontaudit applies here, especially if the pty
> is inherited.
This denial definitly came up with the fds inherited from portage. I
haven't checked why exactly, though.
By the way, I'm also seeing a denial for a ptmx_t-labeled pty master
that my window manager leaks to firefox. I don't recall seeing that one
earlier, so there may have been changes in 4.13 affecting this. Perhaps
I'll look into it later.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/0deeea30/attachment.bin
On 09/12/2017 10:58 PM, Luis Ressel wrote:
> On Tue, 12 Sep 2017 19:08:37 -0400
> Chris PeBenito via refpolicy <[email protected]> wrote:
>
>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
>>> ---
>>> portage.if | 20 ++++++++++++++++++++
>>> 1 file changed, 20 insertions(+)
>>>
>>> diff --git a/portage.if b/portage.if
>>> index c0c7e9b..77bc1d2 100644
>>> --- a/portage.if
>>> +++ b/portage.if
>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>>>
>>> dontaudit $1 portage_tmp_t:file rw_file_perms;
>>> ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Do not audit attempts to read and write
>>> +## portage ptys.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain to not audit.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`portage_dontaudit_use_ptys',`
>>> + gen_require(`
>>> + type portage_devpts_t;
>>> + ')
>>> +
>>> + dontaudit $1 portage_devpts_t:chr_file
>>> rw_inherited_term_perms;
>>> + term_dontaudit_use_ptmx($1)
>>
>> I don't think this ptmx dontaudit applies here, especially if the pty
>> is inherited.
>
> This denial definitly came up with the fds inherited from portage. I
> haven't checked why exactly, though.
So ptmx is being leaked?
--
Chris PeBenito
On Wed, 13 Sep 2017 18:29:30 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:
> On 09/12/2017 10:58 PM, Luis Ressel wrote:
> > On Tue, 12 Sep 2017 19:08:37 -0400
> > Chris PeBenito via refpolicy <[email protected]> wrote:
> >
> >> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> >>> ---
> >>> portage.if | 20 ++++++++++++++++++++
> >>> 1 file changed, 20 insertions(+)
> >>>
> >>> diff --git a/portage.if b/portage.if
> >>> index c0c7e9b..77bc1d2 100644
> >>> --- a/portage.if
> >>> +++ b/portage.if
> >>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
> >>>
> >>> dontaudit $1 portage_tmp_t:file rw_file_perms;
> >>> ')
> >>> +
> >>> +########################################
> >>> +## <summary>
> >>> +## Do not audit attempts to read and write
> >>> +## portage ptys.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +## <summary>
> >>> +## Domain to not audit.
> >>> +## </summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`portage_dontaudit_use_ptys',`
> >>> + gen_require(`
> >>> + type portage_devpts_t;
> >>> + ')
> >>> +
> >>> + dontaudit $1 portage_devpts_t:chr_file
> >>> rw_inherited_term_perms;
> >>> + term_dontaudit_use_ptmx($1)
> >>
> >> I don't think this ptmx dontaudit applies here, especially if the
> >> pty is inherited.
> >
> > This denial definitly came up with the fds inherited from portage. I
> > haven't checked why exactly, though.
>
> So ptmx is being leaked?
Yes, ptmx is being leaked on one of the higher fds. However, I just
noticed that the way ldconfig is called has been changed in the py3
version of the scripts; only users invoking portage via python2.7 will
see the denials I'm dontauditing here.
I'll leave it to you whether the patch should be merged or not. If you
merge it, it'd be great if you could add a comment to libraries.te
saying the dontaudit is only needed for python2.
Regards,
Luis Ressel
On 09/14/2017 10:32 PM, Luis Ressel wrote:
> On Wed, 13 Sep 2017 18:29:30 -0400
> Chris PeBenito via refpolicy <[email protected]> wrote:
>
>> On 09/12/2017 10:58 PM, Luis Ressel wrote:
>>> On Tue, 12 Sep 2017 19:08:37 -0400
>>> Chris PeBenito via refpolicy <[email protected]> wrote:
>>>
>>>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
>>>>> ---
>>>>> portage.if | 20 ++++++++++++++++++++
>>>>> 1 file changed, 20 insertions(+)
>>>>>
>>>>> diff --git a/portage.if b/portage.if
>>>>> index c0c7e9b..77bc1d2 100644
>>>>> --- a/portage.if
>>>>> +++ b/portage.if
>>>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>>>>>
>>>>> dontaudit $1 portage_tmp_t:file rw_file_perms;
>>>>> ')
>>>>> +
>>>>> +########################################
>>>>> +## <summary>
>>>>> +## Do not audit attempts to read and write
>>>>> +## portage ptys.
>>>>> +## </summary>
>>>>> +## <param name="domain">
>>>>> +## <summary>
>>>>> +## Domain to not audit.
>>>>> +## </summary>
>>>>> +## </param>
>>>>> +#
>>>>> +interface(`portage_dontaudit_use_ptys',`
>>>>> + gen_require(`
>>>>> + type portage_devpts_t;
>>>>> + ')
>>>>> +
>>>>> + dontaudit $1 portage_devpts_t:chr_file
>>>>> rw_inherited_term_perms;
>>>>> + term_dontaudit_use_ptmx($1)
>>>>
>>>> I don't think this ptmx dontaudit applies here, especially if the
>>>> pty is inherited.
>>>
>>> This denial definitly came up with the fds inherited from portage. I
>>> haven't checked why exactly, though.
>>
>> So ptmx is being leaked?
>
> Yes, ptmx is being leaked on one of the higher fds. However, I just
> noticed that the way ldconfig is called has been changed in the py3
> version of the scripts; only users invoking portage via python2.7 will
> see the denials I'm dontauditing here.
>
> I'll leave it to you whether the patch should be merged or not. If you
> merge it, it'd be great if you could add a comment to libraries.te
> saying the dontaudit is only needed for python2.
Since Python 2.7 is on the way out, I'm inclined to skip this patch.
--
Chris PeBenito