-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Richi Plana wrote: >>> Hi, >>> >>> Should I be concerned that every time an update to >>> selinux-policy-targeted occurs, it causes actions that the current >>> running SELinux seems to prevent? I'm talking about SELinux >>> preventing /usr/sbin/semodule (semanage_t) and /sbin/restorecon >>> (restorecon_t) "write"ing to a pipe with label "rpm_t". >>> >>> Are these actions legal? And does SELinux preventing them cause an error >>> in the actual install? Or should these just be treated as warnings? >>> >>> I'm guessing that the selinux applications are just trying to >>> communicate back to the RPM process. I'm wondering if there's anything >>> important in that communication that should be allowed, or if not, there >>> must be some way to clean this up. >>> >>> (If this isn't the right place to ask, could someone redirect me to the >>> correct one?) >>> -- >>> >>> Richi Plana >>> >> No, I am hoping to eliminate a lot of these in the future. What these >> avc's are referring to is the redirection of stdout/stderr. When rpm is >> running an update it redirects the terminal output to its fifo_files. So >> any confined domain that runs as part of a post install script will >> check whether it has access to stdin, stdout, stderr on the terminal or >> whatever is acting as the terminal. Since these confined domains do not >> have policy allowing them to talk to pipes owned by rpm, the kernel >> generates avc messages and closes the file descriptors and replaces them >> with open file descriptors to /dev/null. The apps will continue running >> and complete successfully, but ugly avc messages are generated. In >> Updates to policy I am going to globally start dontauditing these access. >> >> >> # Allow all domains to use fds past to them >> allow domain domain:fd use; >> optional_policy(` >> rpm_dontaudit_rw_pipes(domain) >> ') >> >> Should be in Fedora 8 and beyond as well as in the next update to >> Fedora 7. >> >> Redirection of Stdout/Stderr account for the largest percentage of >> SELinux AVC's and most are just noice. > > The net effect of this is to throw away any scriptlet output (e.g. error > messages), isn't it? Whilst people running a GUI update tool won't see > these anyway, us luddites that still use yum from the command line so as > to see if there are any problems during an update won't be able to see > this output. > > Yes, I know that this doesn't represent a change from current policy; I > usually add local policy to allow this output when I see the avcs, but > if they're dontaudited then I won't see any hint of there being a problem. > > Paul. > Your right, I will change it to rpm_rw_pipes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHMjvbrlYvE4MpobMRAiNOAJ94NZPDegUO18Q2lSQZO7G25X+uygCfaxzm qTuEIkXteGRrmBX8lqGcm+E= =FZLG -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
