From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 22 Feb 2011 14:56:44 -0500 Subject: [refpolicy] [PATCH 1/34]: patch to allow readahead read init_t fifo files In-Reply-To: <1298396115.16004.41.camel@tesla.lan> References: <1297836035.3205.30.camel@tesla.lan> <4D63DBED.5030100@tresys.com> <4D63DE9C.8000703@redhat.com> <1298396115.16004.41.camel@tesla.lan> Message-ID: <4D6414FC.80101@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/22/2011 12:35 PM, Guido Trentalancia wrote: > On Tue, 22/02/2011 at 11.04 -0500, Daniel J Walsh wrote: >> On 02/22/2011 10:53 AM, Christopher J. PeBenito wrote: >>> On 02/16/11 01:00, Guido Trentalancia wrote: >>>> This patch adds a new interface init_read_fifo_file() and >>>> uses it so that readahead can read init_t fifo files. >>> >>> This doesn't make sense to me. Its not run out of init; it shouldn't be >>> inheriting unnamed pipes from init. It also makes me question the >>> existing init_use_fds(readahead_t) rule in the policy. >>> >> It is run by systemd now in F15 >> ls /lib/systemd/systemd-readahead-* >> /lib/systemd/systemd-readahead-collect >> /lib/systemd/systemd-readahead-replay > > For your information, I am not using systemd. And I am not using > readahead either. I did just install readahead (latest version) and test > it very quickly and there was something being denied: > > type=AVC msg=audit(1294704869.317:19776): avc: denied { read } for > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853 > scontext=system_u:system_r:readahead_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > type=1400 audit(1294704824.813:3): avc: denied { read } for pid=1398 > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384 > scontext=system_u:system_r:readahead_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file > > That's all I can add now. > > Regards, > > Guido > Right this shows something we do not do a good job of handling in policy now. We do not handle the transitioning of open file descriptors down two levels. Let me explain. We have domain "A_t" which opens up fifo_files to stdin, stdout, stderr, and transitions to "B_t". In the domtrans rules we allow B_t to use A_t:fifo_file read/write. But if B_t transitions to C_t, we do not pass the fifo_file down, we do not have a mechanism for saying allow C_t to read/write all file descriptors that have been passed to B_t. So what you are probably seeing is init_t:fifo_file handed to initrc_t which then hands them to readahead_t, and you end up with an AVC. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1kFPwACgkQrlYvE4MpobO4CwCgviuEU6qyLjmEQvSTFmoJxx8+ 5ssAniCS5FyhBfvaFT9/OmbYuSnS+iUQ =m0/2 -----END PGP SIGNATURE-----