From: aranea@aixah.de (Luis Ressel) Date: Wed, 13 Sep 2017 04:58:07 +0200 Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage In-Reply-To: <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org> References: <20170912071643.22114-1-aranea@aixah.de> <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org> Message-ID: <20170913045807.40078217@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 12 Sep 2017 19:08:37 -0400 Chris PeBenito via refpolicy wrote: > On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote: > > --- > > portage.if | 20 ++++++++++++++++++++ > > 1 file changed, 20 insertions(+) > > > > diff --git a/portage.if b/portage.if > > index c0c7e9b..77bc1d2 100644 > > --- a/portage.if > > +++ b/portage.if > > @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',` > > > > dontaudit $1 portage_tmp_t:file rw_file_perms; > > ') > > + > > +######################################## > > +## > > +## Do not audit attempts to read and write > > +## portage ptys. > > +## > > +## > > +## > > +## Domain to not audit. > > +## > > +## > > +# > > +interface(`portage_dontaudit_use_ptys',` > > + gen_require(` > > + type portage_devpts_t; > > + ') > > + > > + dontaudit $1 portage_devpts_t:chr_file > > rw_inherited_term_perms; > > + term_dontaudit_use_ptmx($1) > > I don't think this ptmx dontaudit applies here, especially if the pty > is inherited. This denial definitly came up with the fds inherited from portage. I haven't checked why exactly, though. By the way, I'm also seeing a denial for a ptmx_t-labeled pty master that my window manager leaks to firefox. I don't recall seeing that one earlier, so there may have been changes in 4.13 affecting this. Perhaps I'll look into it later. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/0deeea30/attachment.bin