From: vaclav.ovsik@i.cz (=?iso-8859-1?Q?V=E1clav_Ovs=EDk?=)
Date: Mon, 15 Sep 2008 15:36:30 +0200
Subject: [refpolicy] Debian: ldd /sbin/udevd, need to use interactive	fds
In-Reply-To: <20080912142922.GA29549@bobek.pm.i.cz>
References: <20080901171232.GA4104@bobek.pm.i.cz>
	<1220361593.28287.8.camel@gorn> <48BE7371.2000100@martinorr.name>
	<20080903135237.GA7644@bobek.pm.i.cz>
	<20080908141529.GA22294@bobek.pm.i.cz>
	<1220887889.28287.117.camel@gorn> <48C96AD4.1000009@martinorr.name>
	<20080912142922.GA29549@bobek.pm.i.cz>
Message-ID: <20080915133630.GA12583@bobek.pm.i.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Sep 12, 2008 at 04:29:22PM +0200, V?clav Ovs?k wrote:
> While I was reading this, I opened /usr/bin/ldd to look in it and was
> a bit surprise with a block:
> 
> => # The following use of cat is needed to make ldd work in SELinux
> => # environments where the executed program might not have permissions
> => # to write to the console/tty.  But only bash 3.x supports the pipefail
> => # option, and we don't bother to handle the case for older bash versions.
> => if set -o pipefail 2> /dev/null; then
> =>   try_trace() {
> =>     eval $add_env '"$@"' | cat
> =>   }
> => else
> =>   try_trace() {
> =>     eval $add_env '"$@"'
> =>   }
> => fi
> 
> I must completely overlook this for the first time. I am going to play
> with it a bit. I hope some correction of this can eliminate our headache
> on the policy side. I will write a next week.

A little improvement of workaround already part of ldd:

--- /usr/bin/ldd.orig	2008-07-29 07:21:35.000000000 +0200
+++ /usr/bin/ldd	2008-09-15 12:22:01.000000000 +0200
@@ -114,7 +114,7 @@
 # option, and we don't bother to handle the case for older bash versions.
 if set -o pipefail 2> /dev/null; then
   try_trace() {
-    eval $add_env '"$@"' | cat
+    eval $add_env '"$@"' <&- 2>&1 | cat
   }
 else
   try_trace() {

That is - all inherited file descriptors connected to an user terminal
are moved away. The SE Linux denial disappeared. Sorry for noise with
ldd domain, it can be forgotten.
Reported as bug in Debian BTS:
...hmm, still not arrived assignment after several hours...
I will send a bug number later.
Regards
-- 
Zito