From: aranea@aixah.de (Luis Ressel)
Date: Fri, 15 Sep 2017 04:32:14 +0200
Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit
 accesses to ptys inherited from portage
In-Reply-To: <78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org>
References: <20170912071643.22114-1-aranea@aixah.de>
	<0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org>
	<20170913045807.40078217@vega.skynet.aixah.de>
	<78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org>
Message-ID: <20170915043214.107e67f6@vega.skynet.aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 13 Sep 2017 18:29:30 -0400
Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:

> On 09/12/2017 10:58 PM, Luis Ressel wrote:
> > On Tue, 12 Sep 2017 19:08:37 -0400
> > Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> >   
> >> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:  
> >>> ---
> >>>    portage.if | 20 ++++++++++++++++++++
> >>>    1 file changed, 20 insertions(+)
> >>>
> >>> diff --git a/portage.if b/portage.if
> >>> index c0c7e9b..77bc1d2 100644
> >>> --- a/portage.if
> >>> +++ b/portage.if
> >>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
> >>>    
> >>>    	dontaudit $1 portage_tmp_t:file rw_file_perms;
> >>>    ')
> >>> +
> >>> +########################################
> >>> +## <summary>
> >>> +##	Do not audit attempts to read and write
> >>> +##	portage ptys.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +##	<summary>
> >>> +##	Domain to not audit.
> >>> +##	</summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`portage_dontaudit_use_ptys',`
> >>> +	gen_require(`
> >>> +		type portage_devpts_t;
> >>> +	')
> >>> +
> >>> +	dontaudit $1 portage_devpts_t:chr_file
> >>> rw_inherited_term_perms;
> >>> +	term_dontaudit_use_ptmx($1)  
> >>
> >> I don't think this ptmx dontaudit applies here, especially if the
> >> pty is inherited.  
> > 
> > This denial definitly came up with the fds inherited from portage. I
> > haven't checked why exactly, though.  
> 
> So ptmx is being leaked?

Yes, ptmx is being leaked on one of the higher fds. However, I just
noticed that the way ldconfig is called has been changed in the py3
version of the scripts; only users invoking portage via python2.7 will
see the denials I'm dontauditing here.

I'll leave it to you whether the patch should be merged or not. If you
merge it, it'd be great if you could add a comment to libraries.te
saying the dontaudit is only needed for python2.

Regards,
Luis Ressel