From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 28 Feb 2011 09:43:21 -0500 Subject: [refpolicy] [patch 1/1] dmesg: reads /proc/version In-Reply-To: <4D6285B1.6010207@redhat.com> References: <4D5E97A6.1040603@redhat.com> <1298092023.3101.48.camel@tesla.lan> <4D62814D.6010301@redhat.com> <1298300935.9676.8.camel@tesla.lan> <4D6285B1.6010207@redhat.com> Message-ID: <4D6BB489.3080402@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/21/11 10:33, Daniel J Walsh wrote: > On 02/21/2011 10:08 AM, Guido Trentalancia wrote: >> Good afternoon Miroslav ! > >> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote: >>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote: >>>> Hello Miroslav ! >>>> >>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote: >>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch >>>>> >>>>> * dmesg reads /proc/version >>>>> * dmesg needs to access to abrt files >>>> I couldn't find any reference in the source code for dmesg from >>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg >>>> reads /proc/version". >>>> >>>> Nor I have any indication from the audit logs on the test system I am >>>> running that dmesg ever required that permission. >>>> >>>> Only mount needs to stat() /proc/version. >>>> >>>> So, where did you get that from ? >>> There was a bug saying >>> >>> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405 >>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016 >>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0 >>> tclass=file > >> That's not a bug. It's an AVC denial. In other words, SELinux is >> preventing some sort of operation. > >> It still sounds very odd to me. > >> In any case, I got curious about this issue and I went looking at >> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am >> quite sure that such operation is not in the source code for dmesg. > >> Look by yourself, the code is so short ! It's only about calls to >> klogctl(). > >> Hope it helps. But let's quit this topic now, because I believe it is >> off-theme for this list. > > There is a possiblity that the app/domain that executed dmesg, leaked an > open file descriptor for read to dmesg, and that is being checked on exec. There is also the possibility that its a glibc thing. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com