On 29/02/08 13:46, Christopher J. PeBenito wrote:
> On Fri, 2008-02-29 at 08:21 +0100, Václav Ovsík wrote:
>> When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
>> with run_init), then the ldconfig called from a postinst and/or a postrm
>> scripts of shared libs brings following denials:
>>
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc: denied { read write } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc: denied { use } for pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
>> Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc: denied { write } for pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
>>
>> The attached patch (wich replaces my previos patch) suppresses these messages.
>> Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
>> Fedora or Ubuntu solves this. (This could be added to.)
>
> The apt rules are fine, but there shouldn't be any more generic pty
> usage anymore. Are you using an older policy that doesn't have strict
> and targeted merged (and unconfined_r)?
It's because apt creates a pty of its own to run dpkg on, so it can log the
output. (This is fairly recent - it has been in apt trunk since October.)
The attached patch is what I am using to deal with this. (I'm not sure if
it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t)
but dontaudit is what the Debian policy package uses.)
Best wishes,
--
Martin Orr
Written by: Martin Orr
with bits from:
srivasta@xxxxxxxxxxxxxxxxx/refpolicy--debian--0.0--patch-12
srivasta@xxxxxxxxxxxxxxxxx/refpolicy--debian--0.0--patch-13
Combines 501_apt_create_pty with bits from 365_apt_fixes
Cope with apt creating a new pty to run dpkg
Index: policy/modules/admin/apt.fc
===================================================================
--- policy/modules/admin/apt.fc.orig 2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.fc 2008-02-29 14:56:46.000000000 +0000
@@ -11,3 +11,6 @@
# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
Index: policy/modules/admin/apt.if
===================================================================
--- policy/modules/admin/apt.if.orig 2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.if 2008-02-29 14:56:46.000000000 +0000
@@ -92,6 +92,25 @@
########################################
## <summary>
+## Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process attempting performing this action
+## which should not be audited.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
## Read and write an unnamed apt pipe.
## </summary>
## <param name="domain">
@@ -111,6 +130,24 @@
########################################
## <summary>
+## Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+ gen_require(`
+ type apt_devpts_t;
+ ')
+
+ allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
## Read the apt package database.
## </summary>
## <param name="domain">
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig 2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/apt.te 2008-02-29 14:57:02.000000000 +0000
@@ -1,5 +1,5 @@
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
########################################
#
@@ -26,6 +26,13 @@
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
+type apt_var_log_t alias var_log_apt_t;
+logging_log_file(apt_var_log_t)
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
########################################
#
# apt Local policy
@@ -97,6 +104,7 @@
fs_getattr_all_fs(apt_t)
+term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig 2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/admin/dpkg.te 2008-02-29 14:56:46.000000000 +0000
@@ -172,6 +172,10 @@
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute;
+optional_policy(`
+ apt_use_ptys(dpkg_t)
+')
+
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig 2008-02-29 14:55:59.000000000 +0000
+++ policy/modules/system/libraries.te 2008-02-29 14:56:46.000000000 +0000
@@ -98,6 +98,11 @@
')
optional_policy(`
+ apt_dontaudit_use_fds(ldconfig_t)
+ apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
# When you install a kernel the postinstall builds a initrd image in tmp
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
