From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 4 Apr 2017 18:54:39 -0400 Subject: [refpolicy] [PATCH] misc fc changes In-Reply-To: <201704041747.43564.russell@coker.com.au> References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> <20170404072328.GA10685@t450.enp8s0.d30> <201704041747.43564.russell@coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/04/2017 03:47 AM, Russell Coker via refpolicy wrote: > On Tue, 4 Apr 2017 05:23:28 PM Dominick Grift via refpolicy wrote: >>> --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc >>> +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc >>> @@ -14,6 +14,7 @@ >>> >>> /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) >>> /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) >>> /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) >>> >>> +/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) >> >> This is probably going to cause issues. This file will be created with >> devpts_t (there is no other way) and so you will have to rely on early >> relabeling of /dev/pts to get this done Not all systems relabel /dev(/pts) >> early on. > > That will only be an issue on systems that don't relabel it early enough and > don't create a /dev/ptmx device node. Such systems wouldn't work properly > with the current policy, so probably don't exist. In this case "early enough" > means "before the first inbound ssh connection". > >> So you might end up with devpts_t on some systems and ptmx_t on >> others. (inconsistency) > > Actually we have inconsistency right now with /dev/ptmx and /dev/pts/ptmx > having different labels. My patch solves the inconsistency. > >> Leaving it devpts_t will atleast allow you to rely on the labeling to be >> consistent, and since that is the only file that will ever legitimately >> end up devpts_t that should not be a problem > > If we are going to take that approach then we should make ptmx_t an alias for > devpts_t and label /dev/ptmx as devpts_t. > > Chris, what do you think? I want ptmx to be consistent and not devpts_t. If it depends on early relabeling, then so be it. It doesn't seem to be a problem generally, as you mentioned. /dev/* is already a big potential for labeling race conditions. I'd prefer a comment added in the fc file so if in the future someone hits the early relabeling problem, they might find info in the comment. -- Chris PeBenito