From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 03 Mar 2011 08:49:05 -0500 Subject: [refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors In-Reply-To: <4D6F9A19.7060109@tresys.com> References: <1297838523.3205.120.camel@tesla.lan> <4D6BB9CC.7060406@tresys.com> <1298920576.3123.12.camel@tesla.lan> <4D6D44C0.5090700@tresys.com> <1299013715.14035.52.camel@tesla.lan> <4D6E9579.1050105@redhat.com> <1299095277.28492.13.camel@tesla.lan> <4D6F9A19.7060109@tresys.com> Message-ID: <4D6F9C51.5020503@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/03/2011 08:39 AM, Christopher J. PeBenito wrote: > On 3/2/2011 2:47 PM, Guido Trentalancia wrote: >> On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote: >>> On 03/01/2011 04:08 PM, Guido Trentalancia wrote: >>>> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote: >>>>> On 02/28/11 14:16, Guido Trentalancia wrote: >>>>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote: >>>>>>> On 02/16/11 01:42, Guido Trentalancia wrote: >>>>>>>> This patch allows mount to use kernel file descriptors. >>>>>>>> >>>>>>>> diff -pruN >>>>>>>> refpolicy-git-15022011-test/policy/modules/system/mount.te >>>>>>>> refpolicy-git-15022011-test-new/policy/modules/system/mount.te >>>>>>>> --- >>>>>>>> refpolicy-git-15022011-test/policy/modules/system/mount.te >>>>>>>> 2011-02-16 02:34:33.253189215 +0100 >>>>>>>> +++ >>>>>>>> refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 >>>>>>>> 03:54:18.732023725 +0100 >>>>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t) >>>>>>>> >>>>>>>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) >>>>>>>> >>>>>>>> +kernel_use_fds(mount_t) >>>>>>>> kernel_read_system_state(mount_t) >>>>>>>> kernel_read_kernel_sysctls(mount_t) >>>>>>>> kernel_dontaudit_getattr_core_if(mount_t) >>>>>>> >>>>>>> How did you come across this? >>>>>> >>>>>> type=1400 audit(1295758153.958:3): avc: denied { use } for >>>>>> pid=1429 >>>>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3 >>>>>> scontext=system_u:system_r:mount_t:s0 >>>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd >>>>> >>>>> Can you provide more detail? What was happening on the system? >>>> >>>> Unfortunately I cannot provide more details now. I believe it's >>>> happening at boot-up. I am also quite sure it's not critical. And the >>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script >>>> from Fedora (will be obsoleted soon by the way). >>>> >>>> You could just drop it for the time being... >>> >>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout >>> passes it to init, which passes it to initrc_t which passes it to >>> mount_t. (init_t could pass it directly to mount_t). >> >> And mount_t uses it to print out messages such as "mount >> point /proc/bus/usb does not exist" very early during boot-up. Does this >> sound like a possible end of the story ? > > This scenario doesn't sound right to me. Why would the kernel be using > a pty? I would expect it to be using /dev/console. > Maybe to talk to plymouth? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1vnFEACgkQrlYvE4MpobOo+ACgjM1WxvUhnyx6Fvuvo4x/4XVA oakAmwdoLNxGbf2QmV+Lv0+Hz0GQ7KwB =OgrZ -----END PGP SIGNATURE-----