From: aranea@aixah.de (Luis Ressel)
Date: Wed, 13 Sep 2017 04:58:07 +0200
Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit
 accesses to ptys inherited from portage
In-Reply-To: <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org>
References: <20170912071643.22114-1-aranea@aixah.de>
	<0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org>
Message-ID: <20170913045807.40078217@vega.skynet.aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 12 Sep 2017 19:08:37 -0400
Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:

> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
> > ---
> >   portage.if | 20 ++++++++++++++++++++
> >   1 file changed, 20 insertions(+)
> > 
> > diff --git a/portage.if b/portage.if
> > index c0c7e9b..77bc1d2 100644
> > --- a/portage.if
> > +++ b/portage.if
> > @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
> >   
> >   	dontaudit $1 portage_tmp_t:file rw_file_perms;
> >   ')
> > +
> > +########################################
> > +## <summary>
> > +##	Do not audit attempts to read and write
> > +##	portage ptys.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain to not audit.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`portage_dontaudit_use_ptys',`
> > +	gen_require(`
> > +		type portage_devpts_t;
> > +	')
> > +
> > +	dontaudit $1 portage_devpts_t:chr_file
> > rw_inherited_term_perms;
> > +	term_dontaudit_use_ptmx($1)  
> 
> I don't think this ptmx dontaudit applies here, especially if the pty
> is inherited.

This denial definitly came up with the fds inherited from portage. I
haven't checked why exactly, though.

By the way, I'm also seeing a denial for a ptmx_t-labeled pty master
that my window manager leaks to firefox. I don't recall seeing that one
earlier, so there may have been changes in 4.13 affecting this. Perhaps
I'll look into it later.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/0deeea30/attachment.bin