From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 16 Sep 2017 13:17:54 -0400 Subject: [refpolicy] [PATCH] portage: Add an interface to dontaudit accesses to ptys inherited from portage In-Reply-To: <20170915043214.107e67f6@vega.skynet.aixah.de> References: <20170912071643.22114-1-aranea@aixah.de> <0cfa88e5-005d-4e08-c12e-3a363228dd7b@ieee.org> <20170913045807.40078217@vega.skynet.aixah.de> <78a112bb-46a9-c292-c6a7-28cd4ee19640@ieee.org> <20170915043214.107e67f6@vega.skynet.aixah.de> Message-ID: <1dc80b7a-a08b-9fd5-9dfa-257969c86a64@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/14/2017 10:32 PM, Luis Ressel wrote: > On Wed, 13 Sep 2017 18:29:30 -0400 > Chris PeBenito via refpolicy wrote: > >> On 09/12/2017 10:58 PM, Luis Ressel wrote: >>> On Tue, 12 Sep 2017 19:08:37 -0400 >>> Chris PeBenito via refpolicy wrote: >>> >>>> On 09/12/2017 03:16 AM, Luis Ressel via refpolicy wrote: >>>>> --- >>>>> portage.if | 20 ++++++++++++++++++++ >>>>> 1 file changed, 20 insertions(+) >>>>> >>>>> diff --git a/portage.if b/portage.if >>>>> index c0c7e9b..77bc1d2 100644 >>>>> --- a/portage.if >>>>> +++ b/portage.if >>>>> @@ -359,3 +359,23 @@ interface(`portage_dontaudit_rw_tmp_files',` >>>>> >>>>> dontaudit $1 portage_tmp_t:file rw_file_perms; >>>>> ') >>>>> + >>>>> +######################################## >>>>> +## >>>>> +## Do not audit attempts to read and write >>>>> +## portage ptys. >>>>> +## >>>>> +## >>>>> +## >>>>> +## Domain to not audit. >>>>> +## >>>>> +## >>>>> +# >>>>> +interface(`portage_dontaudit_use_ptys',` >>>>> + gen_require(` >>>>> + type portage_devpts_t; >>>>> + ') >>>>> + >>>>> + dontaudit $1 portage_devpts_t:chr_file >>>>> rw_inherited_term_perms; >>>>> + term_dontaudit_use_ptmx($1) >>>> >>>> I don't think this ptmx dontaudit applies here, especially if the >>>> pty is inherited. >>> >>> This denial definitly came up with the fds inherited from portage. I >>> haven't checked why exactly, though. >> >> So ptmx is being leaked? > > Yes, ptmx is being leaked on one of the higher fds. However, I just > noticed that the way ldconfig is called has been changed in the py3 > version of the scripts; only users invoking portage via python2.7 will > see the denials I'm dontauditing here. > > I'll leave it to you whether the patch should be merged or not. If you > merge it, it'd be great if you could add a comment to libraries.te > saying the dontaudit is only needed for python2. Since Python 2.7 is on the way out, I'm inclined to skip this patch. -- Chris PeBenito