From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 01 Feb 2011 00:00:43 +0100
Subject: [refpolicy] [PATCH/RFC 3/19]: patch set to update the git
 reference policy
In-Reply-To: <4D470796.4030308@tresys.com>
References: <1295829836.3862.62.camel@tesla.lan>
	<4D3D8B05.2050002@gmail.com> <1295978687.3051.3.camel@tesla.lan>
	<4D3F1317.8000309@gmail.com> <1295979981.3051.10.camel@tesla.lan>
	<4D470796.4030308@tresys.com>
Message-ID: <1296514843.18286.69.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher !

On Mon, 31/01/2011 at 14.03 -0500, Christopher J. PeBenito wrote:
> On 1/25/2011 1:26 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> >
> > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> >>> Hi Dominick,
> >>>
> >>> just a quick question on one of your comments...
> >>>
> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>>>
> >>>>>   auth_dontaudit_read_shadow(readahead_t)
> >>>>>
> >>>>> +init_read_fifo_file(readahead_t)
> >>>>>   init_use_fds(readahead_t)
> >>>>>   init_use_script_ptys(readahead_t)
> >>>>>   init_getattr_initctl(readahead_t)
> >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>>>
> >>>>>   ########################################
> >>>>>   ##<summary>
> >>>>> +##      Read init fifo file.
> >>>>> +##</summary>
> >>>>> +##<param name="domain">
> >>>>> +##<summary>
> >>>>> +##      Domain allowed access.
> >>>>> +##</summary>
> >>>>> +##</param>
> >>>>> +#
> >>>>> +interface(`init_read_fifo_file',`
> >>>>> +		gen_require(`
> >>>>> +		attribute init_t;
> >>>>> +	')
> >>>>> +
> >>>>> +	read_fifo_files_pattern($1, init_t, init_t)
> >>>>> +')
> >>>>
> >>>> no need to for pattern here use: allow $1 init_t:fifo_file
> >>>> r_fifo_file_perms;
> >>>
> >>> Why should we avoid the use of the pattern here ? It gives better
> >>> readability and also it grants permission to search the parent dir.
> >>
> >> I guess you may indeed be right here. I assume that this pipe is
> >> somewhere in /proc in an init_t directory? If that is so then the caller
> >> indeed needs to traverse an init_t directory to get to the pipe i guess,
> >> and in that case the pattern makes good sense.
> >>
> >> looking at similar examples thought, like
> >>
> >>> interface(`init_rw_script_pipes',`
> >>> 	gen_require(`
> >>> 		type initrc_t;
> >>> 	')
> >>>
> >>> 	allow $1 initrc_t:fifo_file { read write };
> >>> ')
> >>
> >> And
> >>
> >>> interface(`init_write_script_pipes',`
> >>> 	gen_require(`
> >>> 		type initrc_t;
> >>> 	')
> >>>
> >>> 	allow $1 initrc_t:fifo_file write;
> >>> ')
> >>
> >> It appears that searching domain_type directories is not applicable here.
> >>
> >> Can you reproduce this (and in particular the caller searching init_t
> >> directories?)
> >
> > Yes, of course I am quite sure it can be reproduced by just starting up
> > readahead. Here is the log:
> >
> > type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> > type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> 
> The read_fifo_file_perms is appropriate instead of the pattern because 
> this is an unnamed pipe (note the pipe=).  There is no dir to search.

Thanks for confirming.

Do you also confirm the attribute versus type issue regarding init_t (at
lines 940 and 961 of the existing policy/modules/system/init.if and in
the new interface that I had created) ?

Dominick spotted that out and now I also believe that is a typo.

If the latter is confirmed, my worry is how comes nothing in the build
process (or any subsequent step) failed ?

Regards,

Guido