From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 16 Sep 2017 13:17:54 -0400
Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit
 accesses to ptys inherited from portage
In-Reply-To: <20170915043214.107e67f6@vega.skynet.aixah.de>
References: <20170912071643.22114-1-aranea@aixah.de>
	<0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org>
	<20170913045807.40078217@vega.skynet.aixah.de>
	<78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org>
	<20170915043214.107e67f6@vega.skynet.aixah.de>
Message-ID: <1dc80b7a-a08b-9fd5-9dfa-257969c86a64@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/14/2017 10:32 PM, Luis Ressel wrote:
> On Wed, 13 Sep 2017 18:29:30 -0400
> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
>> On 09/12/2017 10:58 PM, Luis Ressel wrote:
>>> On Tue, 12 Sep 2017 19:08:37 -0400
>>> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
>>>    
>>>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote:
>>>>> ---
>>>>>     portage.if | 20 ++++++++++++++++++++
>>>>>     1 file changed, 20 insertions(+)
>>>>>
>>>>> diff --git a/portage.if b/portage.if
>>>>> index c0c7e9b..77bc1d2 100644
>>>>> --- a/portage.if
>>>>> +++ b/portage.if
>>>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',`
>>>>>     
>>>>>     	dontaudit $1 portage_tmp_t:file rw_file_perms;
>>>>>     ')
>>>>> +
>>>>> +########################################
>>>>> +## <summary>
>>>>> +##	Do not audit attempts to read and write
>>>>> +##	portage ptys.
>>>>> +## </summary>
>>>>> +## <param name="domain">
>>>>> +##	<summary>
>>>>> +##	Domain to not audit.
>>>>> +##	</summary>
>>>>> +## </param>
>>>>> +#
>>>>> +interface(`portage_dontaudit_use_ptys',`
>>>>> +	gen_require(`
>>>>> +		type portage_devpts_t;
>>>>> +	')
>>>>> +
>>>>> +	dontaudit $1 portage_devpts_t:chr_file
>>>>> rw_inherited_term_perms;
>>>>> +	term_dontaudit_use_ptmx($1)
>>>>
>>>> I don't think this ptmx dontaudit applies here, especially if the
>>>> pty is inherited.
>>>
>>> This denial definitly came up with the fds inherited from portage. I
>>> haven't checked why exactly, though.
>>
>> So ptmx is being leaked?
> 
> Yes, ptmx is being leaked on one of the higher fds. However, I just
> noticed that the way ldconfig is called has been changed in the py3
> version of the scripts; only users invoking portage via python2.7 will
> see the denials I'm dontauditing here.
> 
> I'll leave it to you whether the patch should be merged or not. If you
> merge it, it'd be great if you could add a comment to libraries.te
> saying the dontaudit is only needed for python2.

Since Python 2.7 is on the way out, I'm inclined to skip this patch.

-- 
Chris PeBenito