From: vaclav.ovsik@i.cz (=?iso-8859-1?Q?V=E1clav_Ovs=EDk?=) Date: Mon, 15 Sep 2008 15:36:30 +0200 Subject: [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds In-Reply-To: <20080912142922.GA29549@bobek.pm.i.cz> References: <20080901171232.GA4104@bobek.pm.i.cz> <1220361593.28287.8.camel@gorn> <48BE7371.2000100@martinorr.name> <20080903135237.GA7644@bobek.pm.i.cz> <20080908141529.GA22294@bobek.pm.i.cz> <1220887889.28287.117.camel@gorn> <48C96AD4.1000009@martinorr.name> <20080912142922.GA29549@bobek.pm.i.cz> Message-ID: <20080915133630.GA12583@bobek.pm.i.cz> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Sep 12, 2008 at 04:29:22PM +0200, V?clav Ovs?k wrote: > While I was reading this, I opened /usr/bin/ldd to look in it and was > a bit surprise with a block: > > => # The following use of cat is needed to make ldd work in SELinux > => # environments where the executed program might not have permissions > => # to write to the console/tty. But only bash 3.x supports the pipefail > => # option, and we don't bother to handle the case for older bash versions. > => if set -o pipefail 2> /dev/null; then > => try_trace() { > => eval $add_env '"$@"' | cat > => } > => else > => try_trace() { > => eval $add_env '"$@"' > => } > => fi > > I must completely overlook this for the first time. I am going to play > with it a bit. I hope some correction of this can eliminate our headache > on the policy side. I will write a next week. A little improvement of workaround already part of ldd: --- /usr/bin/ldd.orig 2008-07-29 07:21:35.000000000 +0200 +++ /usr/bin/ldd 2008-09-15 12:22:01.000000000 +0200 @@ -114,7 +114,7 @@ # option, and we don't bother to handle the case for older bash versions. if set -o pipefail 2> /dev/null; then try_trace() { - eval $add_env '"$@"' | cat + eval $add_env '"$@"' <&- 2>&1 | cat } else try_trace() { That is - all inherited file descriptors connected to an user terminal are moved away. The SE Linux denial disappeared. Sorry for noise with ldd domain, it can be forgotten. Reported as bug in Debian BTS: ...hmm, still not arrived assignment after several hours... I will send a bug number later. Regards -- Zito