[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

Martin Orr martin at martinorr.name
Fri Feb 29 15:29:02 UTC 2008 

On 29/02/08 13:46, Christopher J. PeBenito wrote:
> On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
>> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
>> with run_init), then the ldconfig called from a postinst and/or a postrm
>> scripts of shared libs brings following denials:
>>
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
>>
>> The attached patch (wich replaces my previos patch) suppresses these messages.
>> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
>> Fedora or Ubuntu solves this. (This could be added to.)
> 
> The apt rules are fine, but there shouldn't be any more generic pty
> usage anymore.  Are you using an older policy that doesn't have strict
> and targeted merged (and unconfined_r)?

It's because apt creates a pty of its own to run dpkg on, so it can log the
output.  (This is fairly recent - it has been in apt trunk since October.)

The attached patch is what I am using to deal with this.  (I'm not sure if
it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
but dontaudit is what the Debian policy package uses.)

Best wishes,

-- 
Martin Orr
-------------- next part --------------
Written by: Martin Orr
with bits from:
srivasta at debian.org--lenny/refpolicy--debian--0.0--patch-12
srivasta at debian.org--lenny/refpolicy--debian--0.0--patch-13

Combines 501_apt_create_pty with bits from 365_apt_fixes

Cope with apt creating a new pty to run dpkg

Index: policy/modules/admin/apt.fc
===================================================================
--- policy/modules/admin/apt.fc.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.fc	2008-02-29 14:56:46.000000000 +0000
@@ -11,3 +11,6 @@
 # package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
Index: policy/modules/admin/apt.if
===================================================================
--- policy/modules/admin/apt.if.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.if	2008-02-29 14:56:46.000000000 +0000
@@ -92,6 +92,25 @@
 
 ########################################
 ## <summary>
+##     Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     The type of the process attempting performing this action
+##      which should not be audited.
+##     </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Read and write an unnamed apt pipe.
 ## </summary>
 ## <param name="domain">
@@ -111,6 +130,24 @@
 
 ########################################
 ## <summary>
+##	Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read the apt package database.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.te	2008-02-29 14:57:02.000000000 +0000
@@ -1,5 +1,5 @@
 
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
 
 ########################################
 #
@@ -26,6 +26,13 @@
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
 ########################################
 #
 # apt Local policy
@@ -97,6 +104,7 @@
 
 fs_getattr_all_fs(apt_t)
 
+term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
 
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/dpkg.te	2008-02-29 14:56:46.000000000 +0000
@@ -172,6 +172,10 @@
 # since the scripts aren't labeled correctly yet...
 allow dpkg_t dpkg_var_lib_t:file execute;
 
+optional_policy(`
+	apt_use_ptys(dpkg_t)
+')
+
 # TODO: allow?
 #optional_policy(`
 #	cron_system_entry(dpkg_t,dpkg_exec_t)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig	2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/system/libraries.te	2008-02-29 14:56:46.000000000 +0000
@@ -98,6 +98,11 @@
 ')
 
 optional_policy(`
+	apt_dontaudit_use_fds(ldconfig_t)
+	apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it.  If you dont allow this kernel installs 
 	# blow up.

More information about the SELinux-devel mailing list