[DSE-Dev] refpolicy: domains need access to the apt's pty and fifos

Václav Ovsík vaclav.ovsik at i.cz
Wed Mar 5 15:23:23 UTC 2008

running Debian Sid with HEAD refpolicy...
I tried to install bind9 and got some further denials for access to pty
and pipe of apt_t domain. This is a continuation of the patch from
Martin Orr in thread "refpolicy: patch for ldconfig from glibc 2.7...",
witch was about apt finally.

sid:/var/lib/dpkg/info# se_apt-get install bind9
Authenticating root.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  libbind9-30 libdns32 libisc32 libisccc30 libisccfg30 liblwres30
Suggested packages:
  bind9-doc dnsutils resolvconf
The following NEW packages will be installed:
  bind9 libbind9-30 libdns32 libisc32 libisccc30 libisccfg30 liblwres30
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 1005kB of archives.
After this operation, 2789kB of additional disk space will be used.
Get:1 http://xenbr0.localdomain sid/main libisc32 1:9.4.2-4 [126kB]
Get:2 http://xenbr0.localdomain sid/main libdns32 1:9.4.2-4 [491kB]
Get:3 http://xenbr0.localdomain sid/main libisccc30 1:9.4.2-4 [22.3kB]
Get:4 http://xenbr0.localdomain sid/main libisccfg30 1:9.4.2-4 [37.8kB]
Get:5 http://xenbr0.localdomain sid/main libbind9-30 1:9.4.2-4 [26.1kB]
Get:6 http://xenbr0.localdomain sid/main liblwres30 1:9.4.2-4 [39.5kB]
Get:7 http://xenbr0.localdomain sid/main bind9 1:9.4.2-4 [262kB]
Fetched 1005kB in 0s (3524kB/s)
Selecting previously deselected package libisc32.
(Reading database ... 68006 files and directories currently installed.)
Unpacking libisc32 (from .../libisc32_1%3a9.4.2-4_i386.deb) ...
Selecting previously deselected package libdns32.
Unpacking libdns32 (from .../libdns32_1%3a9.4.2-4_i386.deb) ...
Selecting previously deselected package libisccc30.
Unpacking libisccc30 (from .../libisccc30_1%3a9.4.2-4_i386.deb) ...
Selecting previously deselected package libisccfg30.
Unpacking libisccfg30 (from .../libisccfg30_1%3a9.4.2-4_i386.deb) ...
Selecting previously deselected package libbind9-30.
Unpacking libbind9-30 (from .../libbind9-30_1%3a9.4.2-4_i386.deb) ...
Selecting previously deselected package liblwres30.
Unpacking liblwres30 (from .../liblwres30_1%3a9.4.2-4_i386.deb) ...
Selecting previously deselected package bind9.
Unpacking bind9 (from .../bind9_1%3a9.4.2-4_i386.deb) ...
Setting up libisc32 (1:9.4.2-4) ...
Setting up libdns32 (1:9.4.2-4) ...
Setting up libisccc30 (1:9.4.2-4) ...
Setting up libisccfg30 (1:9.4.2-4) ...
Setting up libbind9-30 (1:9.4.2-4) ...
Setting up liblwres30 (1:9.4.2-4) ...
Setting up bind9 (1:9.4.2-4) ...
Adding group `bind' (GID 116) ...
Adding system user `bind' (UID 110) ...
Adding new user `bind' (UID 110) with group `bind' ...
Not creating home directory `/var/cache/bind'.
wrote key file "/etc/bind/rndc.key"
Starting domain name service...: bind.

and denials:

audit(1204723888.180:9): avc:  denied  { use } for  pid=2164 comm="groupadd" name="3" dev=devpts ino=5 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
audit(1204723888.180:10): avc:  denied  { write } for  pid=2164 comm="groupadd" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
audit(1204723888.428:11): avc:  denied  { use } for  pid=2170 comm="useradd" name="3" dev=devpts ino=5 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
audit(1204723888.428:12): avc:  denied  { write } for  pid=2170 comm="useradd" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
audit(1204723890.340:13): avc:  denied  { read write } for  pid=2235 comm="modprobe" name="3" dev=devpts ino=5 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file
audit(1204723890.340:14): avc:  denied  { use } for  pid=2235 comm="modprobe" name="3" dev=devpts ino=5 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
audit(1204723890.340:15): avc:  denied  { write } for  pid=2235 comm="modprobe" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
audit(1204723890.588:16): avc:  denied  { use } for  pid=2239 comm="ifconfig" name="3" dev=devpts ino=5 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
audit(1204723890.588:17): avc:  denied  { write } for  pid=2239 comm="ifconfig" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
audit(1204723890.620:18): avc:  denied  { read write } for  pid=2240 comm="named" name="3" dev=devpts ino=5 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file
audit(1204723890.620:19): avc:  denied  { use } for  pid=2240 comm="named" name="3" dev=devpts ino=5 scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
audit(1204723890.620:20): avc:  denied  { write } for  pid=2240 comm="named" name="[96277]" dev=pipefs ino=96277 scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file

I tried also to install kernel image and got denials:

audit(1204727223.717:45): avc:  denied  { read write } for  pid=2844 comm="depmod" name="3" dev=devpts ino=5 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file
audit(1204727223.717:46): avc:  denied  { use } for  pid=2844 comm="depmod" name="3" dev=devpts ino=5 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
audit(1204727223.717:47): avc:  denied  { write } for  pid=2844 comm="depmod" name="[99536]" dev=pipefs ino=99536 scontext=system_u:system_r:depmod_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file

Attached patch solves the most of this denials, but I doubt this is the
right way.  Should be used some attribute for this?  I noticed attribute
privfd and macro domain_interactive_fd(), what about it?  Rpm already
has such macro calls

I tried to use this macro for apt_t, and all use fd denials above are
solved with it. Should be things done in this way?

Thanks for comments.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apt.patch
Type: text/x-diff
Size: 2004 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20080305/2fb3f090/attachment.patch 

More information about the SELinux-devel mailing list