23616 – Some SELinux policy updates. tmpfs, id, ps and resierfsck

Bug 23616 - Some SELinux policy updates. tmpfs, id, ps and resierfsck

Summary: Some SELinux policy updates. tmpfs, id, ps and resierfsck

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Chris PeBenito (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-06-27 13:20 UTC by Ian Leitch (RETIRED)
Modified:	2003-07-02 17:01 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
reiser denies on boot (reiserdenies.txt,8.63 KB, text/plain) 2003-06-29 21:09 UTC, Zack Gilburd (RETIRED)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Leitch (RETIRED) gentoo-dev

2003-06-27 13:20:27 UTC

These changes eliminated all my boot avc: denied violations.

> fsadm.te
-----------
# Allow /sbin/resierfsck to do its checks. - port001
allow fsadm_t memory_device_t:chr_file getattr;
allow fsadm_t memory_device_t:dir getattr;
allow fsadm_t memory_device_t:fifo_file getattr;
allow fsadm_t zero_device_t:chr_file getattr;
allow fsadm_t device_t:chr_file getattr;
allow fsadm_t random_device_t:chr_file getattr;
allow fsadm_t devtty_t:chr_file getattr;
allow fsadm_t ptmx_t:chr_file getattr;
allow fsadm_t devpts_t:dir getattr;
allow fsadm_t initctl_t:fifo_file getattr;
allow fsadm_t tty_device_t:chr_file getattr;
----

> initrc.te
-----------
# Allow tmpfs to run its course - port001
allow initrc_t tmpfs_t:dir { write add_name read create remove_name rmdir rename };
allow initrc_t tmpfs_t:file { create append read unlink setattr write };
allow initrc_t tmpfs_t:lnk_file { read create unlink };

# reading of /bin/id for the context - port001
allow initrc_t security_t:security sid_to_context;

# some /bin/ps stuff - port001
allow initrc_t proc_hw_t:dir search;
allow initrc_t proc_hw_t:file read;
----

Sorry for the poor comments for each bit, I wasn't sure what scripts were
calling the programs that caused the warnings. 

Should be lots more on the way from me, as those were only my boot ones. 

Reproducible: Always
Steps to Reproduce:

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2003-06-28 08:26:42 UTC

I'm going to have to check out the reiserfsck rules; most likely those should be dontaudit rules, instead of allow.

Where do you have the tmpfs mounted?  /tmp?  Either way, tmpfs is not well supported, and its somewhat messy when it comes to use.  A better solution to your rules would probably be "tmpfs_domain(initrc)"

As for the proc and id rules, I'll need more info if possible.

Comment 2 Ian Leitch (RETIRED) gentoo-dev

2003-06-28 17:41:53 UTC

I got these violations with baselayout 1.8.5.9
They are all gnone with baselayout 1.8.6.8-r1.

Comment 3 Zack Gilburd (RETIRED) gentoo-dev

2003-06-29 21:09:30 UTC

Created attachment 14026 [details]
reiser denies on boot

Using the most recent baselayout and CVS policies.... Also, I took the end of
the dmesg out because it wasn't relevant to the bug.  The whole dmesg
preceeding the denies has been included, however.  Enjoy ;)

Comment 4 Chris PeBenito (RETIRED) gentoo-dev

2003-06-30 11:58:27 UTC

I've committed fixes for most of this, including updating the baselayout version in the profile.  However, I'm still curious about the ps and id, why would initrc_t be running these commands?

Comment 5 Chris PeBenito (RETIRED) gentoo-dev

2003-07-02 17:01:41 UTC

ps and id denials were also fixed by the newer baselayout.  closing.