Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Richi Plana wrote:
Hi,
Should I be concerned that every time an update to
selinux-policy-targeted occurs, it causes actions that the current
running SELinux seems to prevent? I'm talking about SELinux
preventing /usr/sbin/semodule (semanage_t) and /sbin/restorecon
(restorecon_t) "write"ing to a pipe with label "rpm_t".
Are these actions legal? And does SELinux preventing them cause an error
in the actual install? Or should these just be treated as warnings?
I'm guessing that the selinux applications are just trying to
communicate back to the RPM process. I'm wondering if there's anything
important in that communication that should be allowed, or if not, there
must be some way to clean this up.
(If this isn't the right place to ask, could someone redirect me to the
correct one?)
--
Richi Plana
No, I am hoping to eliminate a lot of these in the future. What these
avc's are referring to is the redirection of stdout/stderr. When rpm is
running an update it redirects the terminal output to its fifo_files. So
any confined domain that runs as part of a post install script will
check whether it has access to stdin, stdout, stderr on the terminal or
whatever is acting as the terminal. Since these confined domains do not
have policy allowing them to talk to pipes owned by rpm, the kernel
generates avc messages and closes the file descriptors and replaces them
with open file descriptors to /dev/null. The apps will continue running
and complete successfully, but ugly avc messages are generated. In
Updates to policy I am going to globally start dontauditing these access.
# Allow all domains to use fds past to them
allow domain domain:fd use;
optional_policy(`
rpm_dontaudit_rw_pipes(domain)
')
Should be in Fedora 8 and beyond as well as in the next update to Fedora 7.
Redirection of Stdout/Stderr account for the largest percentage of
SELinux AVC's and most are just noice.
The net effect of this is to throw away any scriptlet output (e.g. error
messages), isn't it? Whilst people running a GUI update tool won't see
these anyway, us luddites that still use yum from the command line so as
to see if there are any problems during an update won't be able to see
this output.
Yes, I know that this doesn't represent a change from current policy; I
usually add local policy to allow this output when I see the avcs, but
if they're dontaudited then I won't see any hint of there being a problem.
Paul.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
