From: vaclav.ovsik@i.cz (=?iso-8859-2?Q?V=E1clav_Ovs=EDk?=) Date: Wed, 3 Sep 2008 15:52:37 +0200 Subject: [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds In-Reply-To: <48BE7371.2000100@martinorr.name> References: <20080901171232.GA4104@bobek.pm.i.cz> <1220361593.28287.8.camel@gorn> <48BE7371.2000100@martinorr.name> Message-ID: <20080903135237.GA7644@bobek.pm.i.cz> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Sep 03, 2008 at 12:22:25PM +0100, Martin Orr wrote: > On 02/09/08 14:19, Christopher J. PeBenito wrote: > > On Mon, 2008-09-01 at 19:12 +0200, V?clav Ovs?k wrote: > >> I am running Debian unstable (Sid) with latest refpolicy packaged by > >> Russel Coker (2:0.0.20080702-6) with unconfined module (permissive > >> mode). I have caught problem with running update-initramfs under > >> unconfined user (system initrd image generation). The hook script udev > >> is trying to discover libraries used by udev running command "ldd > >> /sbin/udev", which emits: > >> > >> [ 180.506850] type=1400 audit(1219673765.136:5): avc: denied { use } for pid=1944 comm="udevd" path="/dev/tty1" dev=tmpfs ino=998 scontext=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0 tclass=fd > >> [ 180.534524] type=1300 audit(1219673765.136:5): arch=40000003 syscall=11 success=yes exit=0 a0=8f93ee8 a1=8f93e68 a2=8f7d008 a3=0 items=0 ppid=1936 pid=1944 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > >> > >> One wants to see output from udevd --help e.g. also... > >> So attached is a patch. > > > > The denials aren't consistent with 'ldd /sbin/udev', otherwise comm= > > would be ldd. I also can't reproduce this type of denial while using > > ldd. As for 'ldd --help', there shouldn't really be a transition. In > > fact I think Dan may have suggested removing the domain transition from > > DIRECT_INITRC and just leave a role transition. > > ldd is just a shell script, which does "LD_TRACE_LOADED_OBJECTS=1 $cmd" (you > can run that on the command line if you want). Setting > LD_TRACE_LOADED_OBJECTS causes the dynamic linker to link the program and > output the objects it has linked but then exit without calling main(). > > Since $cmd is never properly executed, it doesn't make sense to be > transitioning to its domain. So I think ldd should have a domain of its > own, which has no privileges except to write to the terminal and to > execute_no_trans everything. > -- > Martin Orr Hmm, it sounds like the right way to solve this. Maybe this could solve the problem with the transition to rsync_t from user domains while rsync is running over ssh. Great. Thanks for suggestion. -- Zito