From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 13 Sep 2017 18:29:30 -0400 Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage In-Reply-To: <20170913045807.40078217@vega.skynet.aixah.de> References: <20170912071643.22114-1-aranea@aixah.de> <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org> <20170913045807.40078217@vega.skynet.aixah.de> Message-ID: <78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/12/2017 10:58 PM, Luis Ressel wrote: > On Tue, 12 Sep 2017 19:08:37 -0400 > Chris PeBenito via refpolicy wrote: > >> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote: >>> --- >>> portage.if | 20 ++++++++++++++++++++ >>> 1 file changed, 20 insertions(+) >>> >>> diff --git a/portage.if b/portage.if >>> index c0c7e9b..77bc1d2 100644 >>> --- a/portage.if >>> +++ b/portage.if >>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',` >>> >>> dontaudit $1 portage_tmp_t:file rw_file_perms; >>> ') >>> + >>> +######################################## >>> +## >>> +## Do not audit attempts to read and write >>> +## portage ptys. >>> +## >>> +## >>> +## >>> +## Domain to not audit. >>> +## >>> +## >>> +# >>> +interface(`portage_dontaudit_use_ptys',` >>> + gen_require(` >>> + type portage_devpts_t; >>> + ') >>> + >>> + dontaudit $1 portage_devpts_t:chr_file >>> rw_inherited_term_perms; >>> + term_dontaudit_use_ptmx($1) >> >> I don't think this ptmx dontaudit applies here, especially if the pty >> is inherited. > > This denial definitly came up with the fds inherited from portage. I > haven't checked why exactly, though. So ptmx is being leaked? -- Chris PeBenito