[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
--- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
 
 auth_dontaudit_read_shadow(readahead_t)
 
+init_read_fifo_file(readahead_t)
 init_use_fds(readahead_t)
 init_use_script_ptys(readahead_t)
 init_getattr_initctl(readahead_t)
diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
--- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
 
 ########################################
 ## <summary>
+##      Read init fifo file.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+		gen_require(`
+		attribute init_t;
+	')
+
+	read_fifo_files_pattern($1, init_t, init_t)
+')
+
+########################################
+## <summary>
 ##	Ptrace init
 ## </summary>
 ## <param name="domain">

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>  
>  auth_dontaudit_read_shadow(readahead_t)
>  
> +init_read_fifo_file(readahead_t)
>  init_use_fds(readahead_t)
>  init_use_script_ptys(readahead_t)
>  init_getattr_initctl(readahead_t)
> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>  
>  ########################################
>  ## <summary>
> +##      Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> +		gen_require(`
> +		attribute init_t;
> +	')
> +
> +	read_fifo_files_pattern($1, init_t, init_t)
> +')

no need to for pattern here use: allow $1 init_t:fifo_file
r_fifo_file_perms;


init_t is not an attribute (its a type)

> +
> +########################################
> +## <summary>
>  ##	Ptrace init
>  ## </summary>
>  ## <param name="domain">
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
LR4AnRlYgmCf/My41QotF2VIfAnehq8D
=F4q9
-----END PGP SIGNATURE-----

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> > --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >  
> >  auth_dontaudit_read_shadow(readahead_t)
> >  
> > +init_read_fifo_file(readahead_t)
> >  init_use_fds(readahead_t)
> >  init_use_script_ptys(readahead_t)
> >  init_getattr_initctl(readahead_t)
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> > --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> > @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >  
> >  ########################################
> >  ## <summary>
> > +##      Read init fifo file.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`init_read_fifo_file',`
> > +		gen_require(`
> > +		attribute init_t;
> > +	')
> > +
> > +	read_fifo_files_pattern($1, init_t, init_t)
> > +')
> 
> no need to for pattern here use: allow $1 init_t:fifo_file
> r_fifo_file_perms;

Ok will be changed.

> init_t is not an attribute (its a type)

Hmm. That's too true, good point. But elsewhere in the same interface
file it's being declared the same way (see init_ptrace() and
init_read_state()). I think I just copied off bits from there, that's
why... What should be done to the rest of occurrences then ?

> > +
> > +########################################
> > +## <summary>
> >  ##	Ptrace init
> >  ## </summary>
> >  ## <param name="domain">
> > 
> > 
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
> LR4AnRlYgmCf/My41QotF2VIfAnehq8D
> =F4q9
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2011 04:12 PM, Guido Trentalancia wrote:
> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>  
>>>  auth_dontaudit_read_shadow(readahead_t)
>>>  
>>> +init_read_fifo_file(readahead_t)
>>>  init_use_fds(readahead_t)
>>>  init_use_script_ptys(readahead_t)
>>>  init_getattr_initctl(readahead_t)
>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>  
>>>  ########################################
>>>  ## <summary>
>>> +##      Read init fifo file.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##      <summary>
>>> +##      Domain allowed access.
>>> +##      </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_read_fifo_file',`
>>> +		gen_require(`
>>> +		attribute init_t;
>>> +	')
>>> +
>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>> +')
>>
>> no need to for pattern here use: allow $1 init_t:fifo_file
>> r_fifo_file_perms;
> 
> Ok will be changed.
> 
>> init_t is not an attribute (its a type)
> 
> Hmm. That's too true, good point. But elsewhere in the same interface
> file it's being declared the same way (see init_ptrace() and
> init_read_state()). I think I just copied off bits from there, that's
> why... What should be done to the rest of occurrences then ?

That should be analysed and determined in each of the remaining occurrences.

You may well have stumbled upon a bug.

> 
>>> +
>>> +########################################
>>> +## <summary>
>>>  ##	Ptrace init
>>>  ## </summary>
>>>  ## <param name="domain">
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.16 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk09iwUACgkQMlxVo39jgT+z8wCgxkxTW3mmbIfGDj8HHGLlLRuS
>> LR4AnRlYgmCf/My41QotF2VIfAnehq8D
>> =F4q9
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk09l3cACgkQMlxVo39jgT8kkQCfUoWNoXKmT/lP/nJgb+fLwnk0
3JMAni6n1wBEpZOVq6g0hodqDou9oc9A
=nNQN
-----END PGP SIGNATURE-----

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

Hi Dominick,

just a quick question on one of your comments...

On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> > --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> > +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> > @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >  
> >  auth_dontaudit_read_shadow(readahead_t)
> >  
> > +init_read_fifo_file(readahead_t)
> >  init_use_fds(readahead_t)
> >  init_use_script_ptys(readahead_t)
> >  init_getattr_initctl(readahead_t)
> > diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> > --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> > +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> > @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >  
> >  ########################################
> >  ## <summary>
> > +##      Read init fifo file.
> > +## </summary>
> > +## <param name="domain">
> > +##      <summary>
> > +##      Domain allowed access.
> > +##      </summary>
> > +## </param>
> > +#
> > +interface(`init_read_fifo_file',`
> > +		gen_require(`
> > +		attribute init_t;
> > +	')
> > +
> > +	read_fifo_files_pattern($1, init_t, init_t)
> > +')
> 
> no need to for pattern here use: allow $1 init_t:fifo_file
> r_fifo_file_perms;

Why should we avoid the use of the pattern here ? It gives better
readability and also it grants permission to search the parent dir.

Regards,

Guido

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> Hi Dominick,
> 
> just a quick question on one of your comments...
> 
> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>  
>>>  auth_dontaudit_read_shadow(readahead_t)
>>>  
>>> +init_read_fifo_file(readahead_t)
>>>  init_use_fds(readahead_t)
>>>  init_use_script_ptys(readahead_t)
>>>  init_getattr_initctl(readahead_t)
>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>  
>>>  ########################################
>>>  ## <summary>
>>> +##      Read init fifo file.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##      <summary>
>>> +##      Domain allowed access.
>>> +##      </summary>
>>> +## </param>
>>> +#
>>> +interface(`init_read_fifo_file',`
>>> +		gen_require(`
>>> +		attribute init_t;
>>> +	')
>>> +
>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>> +')
>>
>> no need to for pattern here use: allow $1 init_t:fifo_file
>> r_fifo_file_perms;
> 
> Why should we avoid the use of the pattern here ? It gives better
> readability and also it grants permission to search the parent dir.

I guess you may indeed be right here. I assume that this pipe is
somewhere in /proc in an init_t directory? If that is so then the caller
indeed needs to traverse an init_t directory to get to the pipe i guess,
and in that case the pattern makes good sense.

looking at similar examples thought, like

> interface(`init_rw_script_pipes',`
> 	gen_require(`
> 		type initrc_t;
> 	')
> 
> 	allow $1 initrc_t:fifo_file { read write };
> ')

And

> interface(`init_write_script_pipes',`
> 	gen_require(`
> 		type initrc_t;
> 	')
> 
> 	allow $1 initrc_t:fifo_file write;
> ')

It appears that searching domain_type directories is not applicable here.

Can you reproduce this (and in particular the caller searching init_t
directories?)


> 
> Regards,
> 
> Guido
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0/ExcACgkQMlxVo39jgT+5NACdHO/ZysRYMxLjU0J1+8NcWT2u
nDgAn0Q4PNYqudn97HQFxHh386VDiCeV
=HaKz
-----END PGP SIGNATURE-----

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

Hello Dominick !

On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> > Hi Dominick,
> > 
> > just a quick question on one of your comments...
> > 
> > On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> >>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> >>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>  
> >>>  auth_dontaudit_read_shadow(readahead_t)
> >>>  
> >>> +init_read_fifo_file(readahead_t)
> >>>  init_use_fds(readahead_t)
> >>>  init_use_script_ptys(readahead_t)
> >>>  init_getattr_initctl(readahead_t)
> >>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> >>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> >>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>  
> >>>  ########################################
> >>>  ## <summary>
> >>> +##      Read init fifo file.
> >>> +## </summary>
> >>> +## <param name="domain">
> >>> +##      <summary>
> >>> +##      Domain allowed access.
> >>> +##      </summary>
> >>> +## </param>
> >>> +#
> >>> +interface(`init_read_fifo_file',`
> >>> +		gen_require(`
> >>> +		attribute init_t;
> >>> +	')
> >>> +
> >>> +	read_fifo_files_pattern($1, init_t, init_t)
> >>> +')
> >>
> >> no need to for pattern here use: allow $1 init_t:fifo_file
> >> r_fifo_file_perms;
> > 
> > Why should we avoid the use of the pattern here ? It gives better
> > readability and also it grants permission to search the parent dir.
> 
> I guess you may indeed be right here. I assume that this pipe is
> somewhere in /proc in an init_t directory? If that is so then the caller
> indeed needs to traverse an init_t directory to get to the pipe i guess,
> and in that case the pattern makes good sense.
> 
> looking at similar examples thought, like
> 
> > interface(`init_rw_script_pipes',`
> > 	gen_require(`
> > 		type initrc_t;
> > 	')
> > 
> > 	allow $1 initrc_t:fifo_file { read write };
> > ')
> 
> And
> 
> > interface(`init_write_script_pipes',`
> > 	gen_require(`
> > 		type initrc_t;
> > 	')
> > 
> > 	allow $1 initrc_t:fifo_file write;
> > ')
> 
> It appears that searching domain_type directories is not applicable here.
> 
> Can you reproduce this (and in particular the caller searching init_t
> directories?)

Yes, of course I am quite sure it can be reproduced by just starting up
readahead. Here is the log:

type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
scontext=system_u:system_r:readahead_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

Regards,

Guido

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
> Hello Dominick !
> 
> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>> Hi Dominick,
>>>
>>> just a quick question on one of your comments...
>>>
>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>  
>>>>>  auth_dontaudit_read_shadow(readahead_t)
>>>>>  
>>>>> +init_read_fifo_file(readahead_t)
>>>>>  init_use_fds(readahead_t)
>>>>>  init_use_script_ptys(readahead_t)
>>>>>  init_getattr_initctl(readahead_t)
>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>  
>>>>>  ########################################
>>>>>  ## <summary>
>>>>> +##      Read init fifo file.
>>>>> +## </summary>
>>>>> +## <param name="domain">
>>>>> +##      <summary>
>>>>> +##      Domain allowed access.
>>>>> +##      </summary>
>>>>> +## </param>
>>>>> +#
>>>>> +interface(`init_read_fifo_file',`
>>>>> +		gen_require(`
>>>>> +		attribute init_t;
>>>>> +	')
>>>>> +
>>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>>> +')
>>>>
>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>> r_fifo_file_perms;
>>>
>>> Why should we avoid the use of the pattern here ? It gives better
>>> readability and also it grants permission to search the parent dir.
>>
>> I guess you may indeed be right here. I assume that this pipe is
>> somewhere in /proc in an init_t directory? If that is so then the caller
>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>> and in that case the pattern makes good sense.
>>
>> looking at similar examples thought, like
>>
>>> interface(`init_rw_script_pipes',`
>>> 	gen_require(`
>>> 		type initrc_t;
>>> 	')
>>>
>>> 	allow $1 initrc_t:fifo_file { read write };
>>> ')
>>
>> And
>>
>>> interface(`init_write_script_pipes',`
>>> 	gen_require(`
>>> 		type initrc_t;
>>> 	')
>>>
>>> 	allow $1 initrc_t:fifo_file write;
>>> ')
>>
>> It appears that searching domain_type directories is not applicable here.
>>
>> Can you reproduce this (and in particular the caller searching init_t
>> directories?)
> 
> Yes, of course I am quite sure it can be reproduced by just starting up
> readahead. Here is the log:
> 
> type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

Yes but it does not need to search any init_t type directories from what
i can see in your avc denial above.

That is why i suggest you use:

allow $1 init_t:fifo_file r_fifo_file_perms;

instead.

> Regards,
> 
> Guido
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0/FtIACgkQMlxVo39jgT+afwCfRAz/0CBOTPYTIS40CAQAW8pZ
vUcAn1tadnK+wgIXcLyF/72NHlJ2TWgW
=Y49m
-----END PGP SIGNATURE-----

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

Hello Dominick !

On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote:
> On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> > 
> > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> >>> Hi Dominick,
> >>>
> >>> just a quick question on one of your comments...
> >>>
> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>>>  
> >>>>>  auth_dontaudit_read_shadow(readahead_t)
> >>>>>  
> >>>>> +init_read_fifo_file(readahead_t)
> >>>>>  init_use_fds(readahead_t)
> >>>>>  init_use_script_ptys(readahead_t)
> >>>>>  init_getattr_initctl(readahead_t)
> >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>>>  
> >>>>>  ########################################
> >>>>>  ## <summary>
> >>>>> +##      Read init fifo file.
> >>>>> +## </summary>
> >>>>> +## <param name="domain">
> >>>>> +##      <summary>
> >>>>> +##      Domain allowed access.
> >>>>> +##      </summary>
> >>>>> +## </param>
> >>>>> +#
> >>>>> +interface(`init_read_fifo_file',`
> >>>>> +		gen_require(`
> >>>>> +		attribute init_t;
> >>>>> +	')
> >>>>> +
> >>>>> +	read_fifo_files_pattern($1, init_t, init_t)
> >>>>> +')
> >>>>
> >>>> no need to for pattern here use: allow $1 init_t:fifo_file
> >>>> r_fifo_file_perms;
> >>>
> >>> Why should we avoid the use of the pattern here ? It gives better
> >>> readability and also it grants permission to search the parent dir.
> >>
> >> I guess you may indeed be right here. I assume that this pipe is
> >> somewhere in /proc in an init_t directory? If that is so then the caller
> >> indeed needs to traverse an init_t directory to get to the pipe i guess,
> >> and in that case the pattern makes good sense.

> >> It appears that searching domain_type directories is not applicable here.
> >>
> >> Can you reproduce this (and in particular the caller searching init_t
> >> directories?)
> > 
> > Yes, of course I am quite sure it can be reproduced by just starting up
> > readahead. Here is the log:
> > 
> > type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> > type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> 
> Yes but it does not need to search any init_t type directories from what
> i can see in your avc denial above.
> 
> That is why i suggest you use:
> 
> allow $1 init_t:fifo_file r_fifo_file_perms;
> 
> instead.

It was just to keep the interface more generic and eventually re-usable.
But I have now changed the interface to:

allow $1 init_t:fifo_file read_fifo_file_perms;

so it's a bit more optimised and tight.

Regards,

Guido

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/25/2011 07:39 PM, Guido Trentalancia wrote:
> Hello Dominick !
> 
> On Tue, 25/01/2011 at 19.30 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:26 PM, Guido Trentalancia wrote:
>>> Hello Dominick !
>>>
>>> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>>>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>>>> Hi Dominick,
>>>>>
>>>>> just a quick question on one of your comments...
>>>>>
>>>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>>>  
>>>>>>>  auth_dontaudit_read_shadow(readahead_t)
>>>>>>>  
>>>>>>> +init_read_fifo_file(readahead_t)
>>>>>>>  init_use_fds(readahead_t)
>>>>>>>  init_use_script_ptys(readahead_t)
>>>>>>>  init_getattr_initctl(readahead_t)
>>>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>>>  
>>>>>>>  ########################################
>>>>>>>  ## <summary>
>>>>>>> +##      Read init fifo file.
>>>>>>> +## </summary>
>>>>>>> +## <param name="domain">
>>>>>>> +##      <summary>
>>>>>>> +##      Domain allowed access.
>>>>>>> +##      </summary>
>>>>>>> +## </param>
>>>>>>> +#
>>>>>>> +interface(`init_read_fifo_file',`
>>>>>>> +		gen_require(`
>>>>>>> +		attribute init_t;
>>>>>>> +	')
>>>>>>> +
>>>>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>>>>> +')
>>>>>>
>>>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>>>> r_fifo_file_perms;
>>>>>
>>>>> Why should we avoid the use of the pattern here ? It gives better
>>>>> readability and also it grants permission to search the parent dir.
>>>>
>>>> I guess you may indeed be right here. I assume that this pipe is
>>>> somewhere in /proc in an init_t directory? If that is so then the caller
>>>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>>>> and in that case the pattern makes good sense.
> 
>>>> It appears that searching domain_type directories is not applicable here.
>>>>
>>>> Can you reproduce this (and in particular the caller searching init_t
>>>> directories?)
>>>
>>> Yes, of course I am quite sure it can be reproduced by just starting up
>>> readahead. Here is the log:
>>>
>>> type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
>>> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>> type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
>>> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
>>> scontext=system_u:system_r:readahead_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
>>
>> Yes but it does not need to search any init_t type directories from what
>> i can see in your avc denial above.
>>
>> That is why i suggest you use:
>>
>> allow $1 init_t:fifo_file r_fifo_file_perms;
>>
>> instead.
> 
> It was just to keep the interface more generic and eventually re-usable.
> But I have now changed the interface to:

I understand, and allowing a domain to search a directory isnt a big
deal. Yet i learned from experience. I mean there is a "pattern" in
refpolicy, and i almost never see the read_fifo_file_pattern for domain
types used so that is the reason for my suggestion. A nitpick but i had
to mention it anyway. Trying to keep things uniform.

> 
> allow $1 init_t:fifo_file read_fifo_file_perms;
> 
> so it's a bit more optimised and tight.
> 
> Regards,
> 
> Guido
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0/Gp0ACgkQMlxVo39jgT816QCeOVveRof++hSSxAE0D9io4rKT
KWAAnjYOfbm/nj+8t1xn9/CzN1JgRsHk
=O37L
-----END PGP SIGNATURE-----

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

On Tue, 25/01/2011 at 19.46 +0100, Dominick Grift wrote:
> On 01/25/2011 07:39 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> > 
> > It was just to keep the interface more generic and eventually re-usable.
> > But I have now changed the interface to:
> 
> I understand, and allowing a domain to search a directory isnt a big
> deal. Yet i learned from experience. I mean there is a "pattern" in
> refpolicy, and i almost never see the read_fifo_file_pattern for domain
> types used so that is the reason for my suggestion. A nitpick but i had
> to mention it anyway. Trying to keep things uniform.

Yes, one of my first aims is to stay definitely uniform unless there is
really a good reason to do things differently because of a possible
improvement which brings some good advantages.

Splitting up dbus:send_msg permissions (to be uni-directional from each
module) was one thing that I thought it could improve the actual
situation for a good reason. But nobody else commented on that, so that
thing is still pending... You didn't manage to convince me yet of your
different opinion, but we'll see ;-)

> > allow $1 init_t:fifo_file read_fifo_file_perms;
> > 
> > so it's a bit more optimised and tight.

Regards,

Guido

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Christopher J. PeBenito]

On 1/25/2011 1:26 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
>> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
>>> Hi Dominick,
>>>
>>> just a quick question on one of your comments...
>>>
>>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>>
>>>>>   auth_dontaudit_read_shadow(readahead_t)
>>>>>
>>>>> +init_read_fifo_file(readahead_t)
>>>>>   init_use_fds(readahead_t)
>>>>>   init_use_script_ptys(readahead_t)
>>>>>   init_getattr_initctl(readahead_t)
>>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>>
>>>>>   ########################################
>>>>>   ##<summary>
>>>>> +##      Read init fifo file.
>>>>> +##</summary>
>>>>> +##<param name="domain">
>>>>> +##<summary>
>>>>> +##      Domain allowed access.
>>>>> +##</summary>
>>>>> +##</param>
>>>>> +#
>>>>> +interface(`init_read_fifo_file',`
>>>>> +		gen_require(`
>>>>> +		attribute init_t;
>>>>> +	')
>>>>> +
>>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>>> +')
>>>>
>>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>>> r_fifo_file_perms;
>>>
>>> Why should we avoid the use of the pattern here ? It gives better
>>> readability and also it grants permission to search the parent dir.
>>
>> I guess you may indeed be right here. I assume that this pipe is
>> somewhere in /proc in an init_t directory? If that is so then the caller
>> indeed needs to traverse an init_t directory to get to the pipe i guess,
>> and in that case the pattern makes good sense.
>>
>> looking at similar examples thought, like
>>
>>> interface(`init_rw_script_pipes',`
>>> 	gen_require(`
>>> 		type initrc_t;
>>> 	')
>>>
>>> 	allow $1 initrc_t:fifo_file { read write };
>>> ')
>>
>> And
>>
>>> interface(`init_write_script_pipes',`
>>> 	gen_require(`
>>> 		type initrc_t;
>>> 	')
>>>
>>> 	allow $1 initrc_t:fifo_file write;
>>> ')
>>
>> It appears that searching domain_type directories is not applicable here.
>>
>> Can you reproduce this (and in particular the caller searching init_t
>> directories?)
>
> Yes, of course I am quite sure it can be reproduced by just starting up
> readahead. Here is the log:
>
> type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> scontext=system_u:system_r:readahead_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

The read_fifo_file_perms is appropriate instead of the pattern because 
this is an unnamed pipe (note the pipe=).  There is no dir to search.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Christopher J. PeBenito]

On 1/24/2011 10:15 AM, Dominick Grift wrote:
> On 01/24/2011 04:12 PM, Guido Trentalancia wrote:
>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>>>>
>>>>   auth_dontaudit_read_shadow(readahead_t)
>>>>
>>>> +init_read_fifo_file(readahead_t)
>>>>   init_use_fds(readahead_t)
>>>>   init_use_script_ptys(readahead_t)
>>>>   init_getattr_initctl(readahead_t)
>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>>>>
>>>>   ########################################
>>>>   ##<summary>
>>>> +##      Read init fifo file.
>>>> +##</summary>
>>>> +##<param name="domain">
>>>> +##<summary>
>>>> +##      Domain allowed access.
>>>> +##</summary>
>>>> +##</param>
>>>> +#
>>>> +interface(`init_read_fifo_file',`
>>>> +		gen_require(`
>>>> +		attribute init_t;
>>>> +	')
>>>> +
>>>> +	read_fifo_files_pattern($1, init_t, init_t)
>>>> +')
>>>
>>> no need to for pattern here use: allow $1 init_t:fifo_file
>>> r_fifo_file_perms;
>>
>> Ok will be changed.
>>
>>> init_t is not an attribute (its a type)
>>
>> Hmm. That's too true, good point. But elsewhere in the same interface
>> file it's being declared the same way (see init_ptrace() and
>> init_read_state()). I think I just copied off bits from there, that's
>> why... What should be done to the rest of occurrences then ?
>
> That should be analysed and determined in each of the remaining occurrences.
>
> You may well have stumbled upon a bug.

Yep, there are two interfaces with this bug.  I have fixed them in git 
master.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH/RFC 3/19]: patch set to update the git reference policy

[Guido Trentalancia]

Hello Christopher !

On Mon, 31/01/2011 at 14.03 -0500, Christopher J. PeBenito wrote:
> On 1/25/2011 1:26 PM, Guido Trentalancia wrote:
> > Hello Dominick !
> >
> > On Tue, 25/01/2011 at 19.14 +0100, Dominick Grift wrote:
> >> On 01/25/2011 07:04 PM, Guido Trentalancia wrote:
> >>> Hi Dominick,
> >>>
> >>> just a quick question on one of your comments...
> >>>
> >>> On Mon, 24/01/2011 at 15.21 +0100, Dominick Grift wrote:
> >>>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> >>>>> diff -pruN -x .git -x corenetwork.if -x corenetwork.te -x booleans.conf -x modules.conf refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-update/policy/modules/admin/readahead.te
> >>>>> --- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
> >>>>> +++ refpolicy-git-18012011-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
> >>>>> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
> >>>>>
> >>>>>   auth_dontaudit_read_shadow(readahead_t)
> >>>>>
> >>>>> +init_read_fifo_file(readahead_t)
> >>>>>   init_use_fds(readahead_t)
> >>>>>   init_use_script_ptys(readahead_t)
> >>>>>   init_getattr_initctl(readahead_t)
> >>>>> diff -pruN -x .git -x booleans.conf -x corenetwork.if -x corenetwork.te -x modules.conf refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-new/policy/modules/system/init.if
> >>>>> --- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
> >>>>> +++ refpolicy-git-18012011-new/policy/modules/system/init.if	2011-01-23 00:29:43.873713518 +0100
> >>>>> @@ -947,6 +947,24 @@ interface(`init_read_state',`
> >>>>>
> >>>>>   ########################################
> >>>>>   ##<summary>
> >>>>> +##      Read init fifo file.
> >>>>> +##</summary>
> >>>>> +##<param name="domain">
> >>>>> +##<summary>
> >>>>> +##      Domain allowed access.
> >>>>> +##</summary>
> >>>>> +##</param>
> >>>>> +#
> >>>>> +interface(`init_read_fifo_file',`
> >>>>> +		gen_require(`
> >>>>> +		attribute init_t;
> >>>>> +	')
> >>>>> +
> >>>>> +	read_fifo_files_pattern($1, init_t, init_t)
> >>>>> +')
> >>>>
> >>>> no need to for pattern here use: allow $1 init_t:fifo_file
> >>>> r_fifo_file_perms;
> >>>
> >>> Why should we avoid the use of the pattern here ? It gives better
> >>> readability and also it grants permission to search the parent dir.
> >>
> >> I guess you may indeed be right here. I assume that this pipe is
> >> somewhere in /proc in an init_t directory? If that is so then the caller
> >> indeed needs to traverse an init_t directory to get to the pipe i guess,
> >> and in that case the pattern makes good sense.
> >>
> >> looking at similar examples thought, like
> >>
> >>> interface(`init_rw_script_pipes',`
> >>> 	gen_require(`
> >>> 		type initrc_t;
> >>> 	')
> >>>
> >>> 	allow $1 initrc_t:fifo_file { read write };
> >>> ')
> >>
> >> And
> >>
> >>> interface(`init_write_script_pipes',`
> >>> 	gen_require(`
> >>> 		type initrc_t;
> >>> 	')
> >>>
> >>> 	allow $1 initrc_t:fifo_file write;
> >>> ')
> >>
> >> It appears that searching domain_type directories is not applicable here.
> >>
> >> Can you reproduce this (and in particular the caller searching init_t
> >> directories?)
> >
> > Yes, of course I am quite sure it can be reproduced by just starting up
> > readahead. Here is the log:
> >
> > type=AVC msg=audit(1294704869.317:19776): avc:  denied  { read } for
> > pid=2661 comm="readahead" path="pipe:[8853]" dev=pipefs ino=8853
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> > type=1400 audit(1294704824.813:3): avc:  denied  { read } for  pid=1398
> > comm="readahead-colle" path="pipe:[3384]" dev=pipefs ino=3384
> > scontext=system_u:system_r:readahead_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=fifo_file
> 
> The read_fifo_file_perms is appropriate instead of the pattern because 
> this is an unnamed pipe (note the pipe=).  There is no dir to search.

Thanks for confirming.

Do you also confirm the attribute versus type issue regarding init_t (at
lines 940 and 961 of the existing policy/modules/system/init.if and in
the new interface that I had created) ?

Dominick spotted that out and now I also believe that is a typo.

If the latter is confirmed, my worry is how comes nothing in the build
process (or any subsequent step) failed ?

Regards,

Guido