From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 13 Sep 2017 18:29:30 -0400
Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit
 accesses to ptys inherited from portage
In-Reply-To: <20170913045807.40078217@vega.skynet.aixah.de>
References: <20170912071643.22114-1-aranea@aixah.de>
	<0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org>
	<20170913045807.40078217@vega.skynet.aixah.de>
Message-ID: <78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/12/2017 10:58 PM, Luis Ressel wrote:
> On Tue, 12 Sep 2017 19:08:37 -0400
> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
>>> ---
>>>    portage.if | 20 ++++++++++++++++++++
>>>    1 file changed, 20 insertions(+)
>>>
>>> diff --git a/portage.if b/portage.if
>>> index c0c7e9b..77bc1d2 100644
>>> --- a/portage.if
>>> +++ b/portage.if
>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>>>    
>>>    	dontaudit $1 portage_tmp_t:file rw_file_perms;
>>>    ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +##	Do not audit attempts to read and write
>>> +##	portage ptys.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain to not audit.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`portage_dontaudit_use_ptys',`
>>> +	gen_require(`
>>> +		type portage_devpts_t;
>>> +	')
>>> +
>>> +	dontaudit $1 portage_devpts_t:chr_file
>>> rw_inherited_term_perms;
>>> +	term_dontaudit_use_ptmx($1)
>>
>> I don't think this ptmx dontaudit applies here, especially if the pty
>> is inherited.
> 
> This denial definitly came up with the fds inherited from portage. I
> haven't checked why exactly, though.

So ptmx is being leaked?


-- 
Chris PeBenito