From: domg472@gmail.com (Dominick Grift)
Date: Tue, 25 Jan 2011 19:46:53 +0100
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git
reference policy
In-Reply-To: <1295980781.11770.4.camel@tesla.lan>
References: <1295829836.3862.62.camel@tesla.lan> <4D3D8B05.2050002@gmail.com>
<1295978687.3051.3.camel@tesla.lan> <4D3F1317.8000309@gmail.com>
<1295979981.3051.10.camel@tesla.lan> <4D3F16D2.9070705@gmail.com>
<1295980781.11770.4.camel@tesla.lan>
Message-ID: <4D3F1A9D.1060707@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/25/2011 07:39 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
>>> Hello Dominick !
>>>
>>> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>>>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>>>> Hi Dominick,
>>>>>
>>>>> just a quick question on one of your comments...
>>>>>
>>>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
>>>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
>>>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>>>
>>>>>>> auth_dontaudit_read_shadow(readahead_t)
>>>>>>>
>>>>>>> +init_read_fifo_file(readahead_t)
>>>>>>> init_use_fds(readahead_t)
>>>>>>> init_use_script_ptys(readahead_t)
>>>>>>> init_getattr_initctl(readahead_t)
>>>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
>>>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if 2011-01-23 00:29:43.873713518 +0100
>>>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>>>
>>>>>>> ########################################
>>>>>>> ##
>>>>>>> +## Read init fifo file.
>>>>>>> +##
>>>>>>> +##
>>>>>>> +##
>>>>>>> +## Domain allowed access.
>>>>>>> +##
>>>>>>> +##
>>>>>>> +#
>>>>>>> +interface(`init_read_fifo_file',`
>>>>>>> + gen_require(`
>>>>>>> + attribute init_t;
>>>>>>> + ')
>>>>>>> +
>>>>>>> + read_fifo_files_pattern($1, init_t, init_t)
>>>>>>> +')
>>>>>>
>>>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>>>> r_fifo_file_perms;
>>>>>
>>>>> Why should we avoid the use of the pattern here ? It gives better
>>>>> readability and also it grants permission to search the parent dir.
>>>>
>>>> I guess you may indeed be right here. I assume that this pipe is
>>>> somewhere in /proc in an init_t directory? If that is so then the caller
>>>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>>>> and in that case the pattern makes good sense.
>
>>>> It appears that searching domain_type directories is not applicable here.
>>>>
>>>> Can you reproduce this (and in particular the caller searching init_t
>>>> directories?)
>>>
>>> Yes, of course I am quite sure it can be reproduced by just starting up
>>> readahead. Here is the log:
>>>
>>> type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for
>>> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>> type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398
>>> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>
>> Yes but it does not need to search any init_t type directories from what
>> i can see in your avc denial above.
>>
>> That is why i suggest you use:
>>
>> allow $1 init_t:fifo_file r_fifo_file_perms;
>>
>> instead.
>
> It was just to keep the interface more generic and eventually re-usable.
> But I have now changed the interface to:
I understand, and allowing a domain to search a directory isnt a big
deal. Yet i learned from experience. I mean there is a "pattern" in
refpolicy, and i almost never see the read_fifo_file_pattern for domain
types used so that is the reason for my suggestion. A nitpick but i had
to mention it anyway. Trying to keep things uniform.
>
> allow $1 init_t:fifo_file read_fifo_file_perms;
>
> so it's a bit more optimised and tight.
>
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0/Gp0ACgkQMlxVo39jgT816QCeOVveRof++hSSxAE0D9io4rKT
KWAAnjYOfbm/nj+8t1xn9/CzN1JgRsHk
=O37L
-----END PGP SIGNATURE-----