From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 25 Jan 2011 19:39:41 +0100 Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy In-Reply-To: <4D3F16D2.9070705@gmail.com> References: <1295829836.3862.62.camel@tesla.lan> <4D3D8B05.2050002@gmail.com> <1295978687.3051.3.camel@tesla.lan> <4D3F1317.8000309@gmail.com> <1295979981.3051.10.camel@tesla.lan> <4D3F16D2.9070705@gmail.com> Message-ID: <1295980781.11770.4.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick ! On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote: > On 01/25/2011 07:26 PM, Guido Trentalancia wrote: > > Hello Dominick ! > > > > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote: > >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote: > >>> Hi Dominick, > >>> > >>> just a quick question on one of your comments... > >>> > >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote: > >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote: > >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te > >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100 > >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100 > >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t) > >>>>> > >>>>> auth_dontaudit_read_shadow(readahead_t) > >>>>> > >>>>> +init_read_fifo_file(readahead_t) > >>>>> init_use_fds(readahead_t) > >>>>> init_use_script_ptys(readahead_t) > >>>>> init_getattr_initctl(readahead_t) > >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if > >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100 > >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100 > >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',` > >>>>> > >>>>> ######################################## > >>>>> ## > >>>>> +## Read init fifo file. > >>>>> +## > >>>>> +## > >>>>> +## > >>>>> +## Domain allowed access. > >>>>> +## > >>>>> +## > >>>>> +# > >>>>> +interface(`init_read_fifo_file',` > >>>>> + gen_require(` > >>>>> + attribute init_t; > >>>>> + ') > >>>>> + > >>>>> + read_fifo_files_pattern($1, init_t, init_t) > >>>>> +') > >>>> > >>>> no need to for pattern here use: allow $1 init_t:fifo_file > >>>> r_fifo_file_perms; > >>> > >>> Why should we avoid the use of the pattern here ? It gives better > >>> readability and also it grants permission to search the parent dir. > >> > >> I guess you may indeed be right here. I assume that this pipe is > >> somewhere in /proc in an init_t directory? If that is so then the caller > >> indeed needs to traverse an init_t directory to get to the pipe i guess, > >> and in that case the pattern makes good sense. > >> It appears that searching domain_type directories is not applicable here. > >> > >> Can you reproduce this (and in particular the caller searching init_t > >> directories?) > > > > Yes, of course I am quite sure it can be reproduced by just starting up > > readahead. Here is the log: > > > > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for > > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 > > scontext=system_u:system_r:readahead_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 > > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 > > scontext=system_u:system_r:readahead_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > Yes but it does not need to search any init_t type directories from what > i can see in your avc denial above. > > That is why i suggest you use: > > allow $1 init_t:fifo_file r_fifo_file_perms; > > instead. It was just to keep the interface more generic and eventually re-usable. But I have now changed the interface to: allow $1 init_t:fifo_file read_fifo_file_perms; so it's a bit more optimised and tight. Regards, Guido