From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 22 Feb 2011 18:35:15 +0100
Subject: [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t
 fifo files
In-Reply-To: <4D63DE9C.8000703@redhat.com>
References: <1297836035.3205.30.camel@tesla.lan>
	<4D63DBED.5030100@tresys.com>  <4D63DE9C.8000703@redhat.com>
Message-ID: <1298396115.16004.41.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 22/02/2011 at 11.04 -0500, Daniel J Walsh wrote:
> On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote:
> > On 02/16/11 01:00, Guido Trentalancia wrote:
> >> This patch adds a new interface init_read_fifo_file() and
> >> uses it so that readahead can read init_t fifo files.
> > 
> > This doesn't make sense to me.  Its not run out of init; it shouldn't be
> > inheriting unnamed pipes from init.  It also makes me question the
> > existing init_use_fds(readahead_t) rule in the policy.
> > 
> It is run by systemd now in F15
>  ls /lib/systemd/systemd-readahead-*
> /lib/systemd/systemd-readahead-collect
> /lib/systemd/systemd-readahead-replay

For your information, I am not using systemd. And I am not using
readahead either. I did just install readahead (latest version) and test
it very quickly and there was something being denied:

type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

That's all I can add now.

Regards,

Guido