[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch
Christopher J. PeBenito
cpebenito at tresys.com
Fri Feb 29 13:46:01 UTC 2008
On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
> Hi,
> this is a completion of previos patch...
[...]
> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
> with run_init), then the ldconfig called from a postinst and/or a postrm
> scripts of shared libs brings following denials:
>
> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc: denied { read write } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc: denied { use } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc: denied { write } for pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
>
> The attached patch (wich replaces my previos patch) suppresses these messages.
> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
> Fedora or Ubuntu solves this. (This could be added to.)
The apt rules are fine, but there shouldn't be any more generic pty
usage anymore. Are you using an older policy that doesn't have strict
and targeted merged (and unconfined_r)?
> @@ -103,3 +108,10 @@
> # blow up.
> rpm_manage_script_tmp_files(ldconfig_t)
> ')
> +
> +optional_policy(`
> + # ldconfig run from postinstall, postrm scripts on Debian...
> + apt_rw_pipes(ldconfig_t)
> + apt_use_fds(ldconfig_t)
> + term_use_generic_ptys(ldconfig_t)
> +')
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the SELinux-devel
mailing list