From: russell@coker.com.au (Russell Coker) Date: Fri, 4 Mar 2011 17:54:59 +1100 Subject: [refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors In-Reply-To: <4D6F9C51.5020503@redhat.com> References: <1297838523.3205.120.camel@tesla.lan> <4D6F9A19.7060109@tresys.com> <4D6F9C51.5020503@redhat.com> Message-ID: <201103041754.59371.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 4 Mar 2011, Daniel J Walsh wrote: > >>>>>>>> +kernel_use_fds(mount_t) > >>>> > >>>> Unfortunately I cannot provide more details now. I believe it's > >>>> happening at boot-up. I am also quite sure it's not critical. And the > >>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script > >>>> from Fedora (will be obsoleted soon by the way). > >>>> > >>>> You could just drop it for the time being... > >>> > >>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout > >>> passes it to init, which passes it to initrc_t which passes it to > >>> mount_t. (init_t could pass it directly to mount_t). > >> > > > > This scenario doesn't sound right to me. Why would the kernel be using > > a pty? I would expect it to be using /dev/console. Sounds to me like the pty is being created before the policy is loaded. Everything that is done before the first policy load is run as "kernel" which becomes "kernel_t". So the question is, why is that pty being leaked or why is a pty from before policy load hanging around until afterwards? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/