From: aranea@aixah.de (Luis Ressel) Date: Fri, 15 Sep 2017 04:32:14 +0200 Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage In-Reply-To: <78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org> References: <20170912071643.22114-1-aranea@aixah.de> <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org> <20170913045807.40078217@vega.skynet.aixah.de> <78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org> Message-ID: <20170915043214.107e67f6@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 13 Sep 2017 18:29:30 -0400 Chris PeBenito via refpolicy wrote: > On 09/12/2017 10:58 PM, Luis Ressel wrote: > > On Tue, 12 Sep 2017 19:08:37 -0400 > > Chris PeBenito via refpolicy wrote: > > > >> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote: > >>> --- > >>> portage.if | 20 ++++++++++++++++++++ > >>> 1 file changed, 20 insertions(+) > >>> > >>> diff --git a/portage.if b/portage.if > >>> index c0c7e9b..77bc1d2 100644 > >>> --- a/portage.if > >>> +++ b/portage.if > >>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',` > >>> > >>> dontaudit $1 portage_tmp_t:file rw_file_perms; > >>> ') > >>> + > >>> +######################################## > >>> +## > >>> +## Do not audit attempts to read and write > >>> +## portage ptys. > >>> +## > >>> +## > >>> +## > >>> +## Domain to not audit. > >>> +## > >>> +## > >>> +# > >>> +interface(`portage_dontaudit_use_ptys',` > >>> + gen_require(` > >>> + type portage_devpts_t; > >>> + ') > >>> + > >>> + dontaudit $1 portage_devpts_t:chr_file > >>> rw_inherited_term_perms; > >>> + term_dontaudit_use_ptmx($1) > >> > >> I don't think this ptmx dontaudit applies here, especially if the > >> pty is inherited. > > > > This denial definitly came up with the fds inherited from portage. I > > haven't checked why exactly, though. > > So ptmx is being leaked? Yes, ptmx is being leaked on one of the higher fds. However, I just noticed that the way ldconfig is called has been changed in the py3 version of the scripts; only users invoking portage via python2.7 will see the denials I'm dontauditing here. I'll leave it to you whether the patch should be merged or not. If you merge it, it'd be great if you could add a comment to libraries.te saying the dontaudit is only needed for python2. Regards, Luis Ressel