[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

Christopher J. PeBenito cpebenito at tresys.com
Fri Feb 29 16:32:29 UTC 2008 

On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote:
> On 29/02/08 13:46, Christopher J. PeBenito wrote:
> > On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
> >> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
> >> with run_init), then the ldconfig called from a postinst and/or a postrm
> >> scripts of shared libs brings following denials:
> >>
> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
> >> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
> >>
> >> The attached patch (wich replaces my previos patch) suppresses these messages.
> >> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
> >> Fedora or Ubuntu solves this. (This could be added to.)
> > 
> > The apt rules are fine, but there shouldn't be any more generic pty
> > usage anymore.  Are you using an older policy that doesn't have strict
> > and targeted merged (and unconfined_r)?
> 
> It's because apt creates a pty of its own to run dpkg on, so it can log the
> output.  (This is fairly recent - it has been in apt trunk since October.)

Makes sense.

> The attached patch is what I am using to deal with this.  (I'm not sure if
> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
> but dontaudit is what the Debian policy package uses.)

You probably want to allow it otherwise ldconfig won't inherit the fds
that point to the apt pty.  By denying the inheritance on an enforcing
system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose
any ldconfig output.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the SELinux-devel mailing list