From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Wed, 6 Sep 2017 22:50:57 +0200
Subject: [refpolicy] [PATCH 1/2] terminal: /dev/pts exists in /dev
	filesystem
In-Reply-To: <CAJfZ7==1s3Qvij+H+pKG5f=R_gWHHM1prejFvbw+FNibDDHvbw@mail.gmail.com>
References: <20170812083500.18273-1-nicolas.iooss@m4x.org>
	<20170812090037.GA16991@julius.enp8s0.d30>
	<20170812090339.GA6194@julius.enp8s0.d30>
	<CAJfZ7==1s3Qvij+H+pKG5f=R_gWHHM1prejFvbw+FNibDDHvbw@mail.gmail.com>
Message-ID: <CAJfZ7==2UW0+L1ep5m9jidthJMHVG_nAAEkUQO8B-iVSRGkgog@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, Aug 12, 2017 at 11:09 AM, Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> On Sat, Aug 12, 2017 at 11:03 AM, Dominick Grift via refpolicy
> <refpolicy@oss.tresys.com> wrote:
>> On Sat, Aug 12, 2017 at 11:00:37AM +0200, Dominick Grift wrote:
>>> On Sat, Aug 12, 2017 at 10:34:59AM +0200, Nicolas Iooss via refpolicy wrote:
>>> > systemd tries to create /dev/pts directly with its context type
>>> > "devpts_t", but this is not allowed:
>>> >
>>> >     avc:  denied  { associate } for  pid=1 comm="systemd" name="pts"
>>> >     scontext=system_u:object_r:devpts_t
>>> >     tcontext=system_u:object_r:device_t
>>> >     tclass=filesystem permissive=1
>>>
>>> There is probably a context spec that say's that the /dev/pts dir should be of type devpts_t.
>>>
>>> if you replace that spec with something like
>>>
>>> /dev/pts -d <<None>>
>>>
>>> then systemd creates the dir with type device_t, then devpts fs gets mounted on it and it will show up as devpts_t
>>>
>>> I little bit cleaner in my opinion but i suppose a matter of taste
>>
>> Never mind, that would not work for MLS:
>>
>> /dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
>
> Thanks for your quick review! This line is indeed what is currently in
> refpolicy (https://github.com/TresysTechnology/refpolicy/blob/0ba1970b7cd4a809b155c457913bcd3dad2dc039/policy/modules/kernel/terminal.fc#L26).
> I guess it is needed in order for /dev/pts to have the right context
> after devpts filesystem is mounted.
>
> Nicolas

Hello,
If I correctly understood the discussion about this patch, there are
no issues preventing it from being merged. Could it be merged (and the
one I sent with it, "init: allow systemd to create /dev/pts as
devpts_t") too?

Thanks,
Nicolas

>>> > ---
>>> >  policy/modules/kernel/terminal.te | 1 +
>>> >  1 file changed, 1 insertion(+)
>>> >
>>> > diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
>>> > index f71fda4b5e52..ff9ee502888b 100644
>>> > --- a/policy/modules/kernel/terminal.te
>>> > +++ b/policy/modules/kernel/terminal.te
>>> > @@ -25,6 +25,7 @@ dev_node(console_device_t)
>>> >  # the type of the root directory of the file system.
>>> >  #
>>> >  type devpts_t;
>>> > +dev_associate(devpts_t)
>>> >  files_mountpoint(devpts_t)
>>> >  fs_associate_tmpfs(devpts_t)
>>> >  fs_xattr_type(devpts_t)
>>> > --
>>> > 2.14.1
>>> >
>>> > _______________________________________________
>>> > refpolicy mailing list
>>> > refpolicy at oss.tresys.com
>>> > http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>