[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Guido Trentalancia]

This patch allows mount to use kernel file descriptors.

diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
--- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
+++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
@@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
+kernel_use_fds(mount_t)
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
 kernel_dontaudit_getattr_core_if(mount_t)

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Christopher J. PeBenito]

On 02/16/11 01:42, Guido Trentalancia wrote:
> This patch allows mount to use kernel file descriptors.
> 
> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>  
>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>  
> +kernel_use_fds(mount_t)
>  kernel_read_system_state(mount_t)
>  kernel_read_kernel_sysctls(mount_t)
>  kernel_dontaudit_getattr_core_if(mount_t)

How did you come across this?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Guido Trentalancia]

On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:42, Guido Trentalancia wrote:
> > This patch allows mount to use kernel file descriptors.
> > 
> > diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> > --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
> > +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
> > @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >  
> >  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >  
> > +kernel_use_fds(mount_t)
> >  kernel_read_system_state(mount_t)
> >  kernel_read_kernel_sysctls(mount_t)
> >  kernel_dontaudit_getattr_core_if(mount_t)
> 
> How did you come across this?

type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
comm="mount" path="/dev/pts/0" dev=devpts ino=3
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=fd

Regards,

Guido

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Christopher J. PeBenito]

On 02/28/11 14:16, Guido Trentalancia wrote:
> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>> This patch allows mount to use kernel file descriptors.
>>>
>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>  
>>>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>  
>>> +kernel_use_fds(mount_t)
>>>  kernel_read_system_state(mount_t)
>>>  kernel_read_kernel_sysctls(mount_t)
>>>  kernel_dontaudit_getattr_core_if(mount_t)
>>
>> How did you come across this?
> 
> type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
> comm="mount" path="/dev/pts/0" dev=devpts ino=3
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=fd

Can you provide more detail?  What was happening on the system?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Guido Trentalancia]

On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
> On 02/28/11 14:16, Guido Trentalancia wrote:
> > On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:42, Guido Trentalancia wrote:
> >>> This patch allows mount to use kernel file descriptors.
> >>>
> >>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> >>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
> >>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
> >>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >>>  
> >>>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >>>  
> >>> +kernel_use_fds(mount_t)
> >>>  kernel_read_system_state(mount_t)
> >>>  kernel_read_kernel_sysctls(mount_t)
> >>>  kernel_dontaudit_getattr_core_if(mount_t)
> >>
> >> How did you come across this?
> > 
> > type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
> > comm="mount" path="/dev/pts/0" dev=devpts ino=3
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:kernel_t:s0 tclass=fd
> 
> Can you provide more detail?  What was happening on the system?

Unfortunately I cannot provide more details now. I believe it's
happening at boot-up. I am also quite sure it's not critical. And the
only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
from Fedora (will be obsoleted soon by the way).

You could just drop it for the time being...

Regards,

Guido

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
>> On 02/28/11 14:16, Guido Trentalancia wrote:
>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>>>> This patch allows mount to use kernel file descriptors.
>>>>>
>>>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
>>>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>>>  
>>>>>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>>>  
>>>>> +kernel_use_fds(mount_t)
>>>>>  kernel_read_system_state(mount_t)
>>>>>  kernel_read_kernel_sysctls(mount_t)
>>>>>  kernel_dontaudit_getattr_core_if(mount_t)
>>>>
>>>> How did you come across this?
>>>
>>> type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
>>> scontext=system_u:system_r:mount_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>>
>> Can you provide more detail?  What was happening on the system?
> 
> Unfortunately I cannot provide more details now. I believe it's
> happening at boot-up. I am also quite sure it's not critical. And the
> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> from Fedora (will be obsoleted soon by the way).
> 
> You could just drop it for the time being...
> 
> Regards,
> 
> Guido
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
passes it to init, which passes it to initrc_t which passes it to
mount_t.  (init_t could pass it directly to mount_t).


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ulXkACgkQrlYvE4MpobNlJACgjjGcF1kHsBNjZ2ns4Xz6HyRD
5J4AoNqkmm3Sx++tyOqpVORdXkL39sN6
=8pzm
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Guido Trentalancia]

On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote:
> On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
> > On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
> >> On 02/28/11 14:16, Guido Trentalancia wrote:
> >>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> >>>> On 02/16/11 01:42, Guido Trentalancia wrote:
> >>>>> This patch allows mount to use kernel file descriptors.
> >>>>>
> >>>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> >>>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
> >>>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
> >>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >>>>>  
> >>>>>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >>>>>  
> >>>>> +kernel_use_fds(mount_t)
> >>>>>  kernel_read_system_state(mount_t)
> >>>>>  kernel_read_kernel_sysctls(mount_t)
> >>>>>  kernel_dontaudit_getattr_core_if(mount_t)
> >>>>
> >>>> How did you come across this?
> >>>
> >>> type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
> >>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
> >>> scontext=system_u:system_r:mount_t:s0
> >>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
> >>
> >> Can you provide more detail?  What was happening on the system?
> > 
> > Unfortunately I cannot provide more details now. I believe it's
> > happening at boot-up. I am also quite sure it's not critical. And the
> > only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> > from Fedora (will be obsoleted soon by the way).
> > 
> > You could just drop it for the time being...
> > 
> > Regards,
> > 
> > Guido
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
> passes it to init, which passes it to initrc_t which passes it to
> mount_t.  (init_t could pass it directly to mount_t).

And mount_t uses it to print out messages such as "mount
point /proc/bus/usb does not exist" very early during boot-up. Does this
sound like a possible end of the story ?

Regards,

Guido

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Christopher J. PeBenito]

On 3/2/2011 2:47 PM, Guido Trentalancia wrote:
> On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote:
>> On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
>>> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
>>>> On 02/28/11 14:16, Guido Trentalancia wrote:
>>>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>>>>>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>>>>>> This patch allows mount to use kernel file descriptors.
>>>>>>>
>>>>>>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>>>>>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
>>>>>>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
>>>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>>>>>
>>>>>>>   files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>>>>>
>>>>>>> +kernel_use_fds(mount_t)
>>>>>>>   kernel_read_system_state(mount_t)
>>>>>>>   kernel_read_kernel_sysctls(mount_t)
>>>>>>>   kernel_dontaudit_getattr_core_if(mount_t)
>>>>>>
>>>>>> How did you come across this?
>>>>>
>>>>> type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
>>>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
>>>>> scontext=system_u:system_r:mount_t:s0
>>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>>>>
>>>> Can you provide more detail?  What was happening on the system?
>>>
>>> Unfortunately I cannot provide more details now. I believe it's
>>> happening at boot-up. I am also quite sure it's not critical. And the
>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
>>> from Fedora (will be obsoleted soon by the way).
>>>
>>> You could just drop it for the time being...
>>
>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
>> passes it to init, which passes it to initrc_t which passes it to
>> mount_t.  (init_t could pass it directly to mount_t).
>
> And mount_t uses it to print out messages such as "mount
> point /proc/bus/usb does not exist" very early during boot-up. Does this
> sound like a possible end of the story ?

This scenario doesn't sound right to me.  Why would the kernel be using 
a pty?  I would expect it to be using /dev/console.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/03/2011 08:39 AM, Christopher J. PeBenito wrote:
> On 3/2/2011 2:47 PM, Guido Trentalancia wrote:
>> On Wed, 02/03/2011 at 14.07 -0500, Daniel J Walsh wrote:
>>> On 03/01/2011 04:08 PM, Guido Trentalancia wrote:
>>>> On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
>>>>> On 02/28/11 14:16, Guido Trentalancia wrote:
>>>>>> On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
>>>>>>> On 02/16/11 01:42, Guido Trentalancia wrote:
>>>>>>>> This patch allows mount to use kernel file descriptors.
>>>>>>>>
>>>>>>>> diff -pruN
>>>>>>>> refpolicy-git-15022011-test/policy/modules/system/mount.te
>>>>>>>> refpolicy-git-15022011-test-new/policy/modules/system/mount.te
>>>>>>>> ---
>>>>>>>> refpolicy-git-15022011-test/policy/modules/system/mount.te   
>>>>>>>> 2011-02-16 02:34:33.253189215 +0100
>>>>>>>> +++
>>>>>>>> refpolicy-git-15022011-test-new/policy/modules/system/mount.te    2011-02-16
>>>>>>>> 03:54:18.732023725 +0100
>>>>>>>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
>>>>>>>>
>>>>>>>>   files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>>>>>>>>
>>>>>>>> +kernel_use_fds(mount_t)
>>>>>>>>   kernel_read_system_state(mount_t)
>>>>>>>>   kernel_read_kernel_sysctls(mount_t)
>>>>>>>>   kernel_dontaudit_getattr_core_if(mount_t)
>>>>>>>
>>>>>>> How did you come across this?
>>>>>>
>>>>>> type=1400 audit(1295758153.958:3): avc:  denied  { use } for 
>>>>>> pid=1429
>>>>>> comm="mount" path="/dev/pts/0" dev=devpts ino=3
>>>>>> scontext=system_u:system_r:mount_t:s0
>>>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>>>>>
>>>>> Can you provide more detail?  What was happening on the system?
>>>>
>>>> Unfortunately I cannot provide more details now. I believe it's
>>>> happening at boot-up. I am also quite sure it's not critical. And the
>>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
>>>> from Fedora (will be obsoleted soon by the way).
>>>>
>>>> You could just drop it for the time being...
>>>
>>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
>>> passes it to init, which passes it to initrc_t which passes it to
>>> mount_t.  (init_t could pass it directly to mount_t).
>>
>> And mount_t uses it to print out messages such as "mount
>> point /proc/bus/usb does not exist" very early during boot-up. Does this
>> sound like a possible end of the story ?
> 
> This scenario doesn't sound right to me.  Why would the kernel be using
> a pty?  I would expect it to be using /dev/console.
> 

Maybe to talk to plymouth?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1vnFEACgkQrlYvE4MpobOo+ACgjM1WxvUhnyx6Fvuvo4x/4XVA
oakAmwdoLNxGbf2QmV+Lv0+Hz0GQ7KwB
=OgrZ
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors

[Russell Coker]

On Fri, 4 Mar 2011, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>>>>>>> +kernel_use_fds(mount_t)
> >>>> 
> >>>> Unfortunately I cannot provide more details now. I believe it's
> >>>> happening at boot-up. I am also quite sure it's not critical. And the
> >>>> only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
> >>>> from Fedora (will be obsoleted soon by the way).
> >>>> 
> >>>> You could just drop it for the time being...
> >>> 
> >>> I would guess kernel_t opens the /dev/pts/0 file descriptor to stdout
> >>> passes it to init, which passes it to initrc_t which passes it to
> >>> mount_t.  (init_t could pass it directly to mount_t).
> >> 
> > 
> > This scenario doesn't sound right to me.  Why would the kernel be using
> > a pty?  I would expect it to be using /dev/console.

Sounds to me like the pty is being created before the policy is loaded.  
Everything that is done before the first policy load is run as "kernel" which 
becomes "kernel_t".

So the question is, why is that pty being leaked or why is a pty from before 
policy load hanging around until afterwards?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/