From: russell@coker.com.au (Russell Coker)
Date: Fri, 4 Mar 2011 17:54:59 +1100
Subject: [refpolicy] [PATCH 32/34]: patch to allow mount use kernel file
	descriptors
In-Reply-To: <4D6F9C51.5020503@redhat.com>
References: <1297838523.3205.120.camel@tesla.lan>
	<4D6F9A19.7060109@tresys.com> <4D6F9C51.5020503@redhat.com>
Message-ID: <201103041754.59371.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 4 Mar 2011, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>>>>>>> +kernel_use_fds(mount_t)
> >>>> 
> >>>> Unfortunately I cannot provide more details now. I believe it's
> >>>> happening at boot-up. I am also quite sure it's not critical. And the
> >>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> >>>> from Fedora (will be obsoleted soon by the way).
> >>>> 
> >>>> You could just drop it for the time being...
> >>> 
> >>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
> >>> passes it to init, which passes it to initrc_t which passes it to
> >>> mount_t.  (init_t could pass it directly to mount_t).
> >> 
> > 
> > This scenario doesn't sound right to me.  Why would the kernel be using
> > a pty?  I would expect it to be using /dev/console.

Sounds to me like the pty is being created before the policy is loaded.  
Everything that is done before the first policy load is run as "kernel" which 
becomes "kernel_t".

So the question is, why is that pty being leaked or why is a pty from before 
policy load hanging around until afterwards?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/