[DSE-Dev] refpolicy: patch for ldconfig from glibc 2.7, new patch

[Václav Ovsík]

Hi,
this is a completion of previos patch...

On Fri, Feb 22, 2008 at 01:05:39PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2008-02-22 at 16:27 +0100, Václav Ovsík wrote:
> > Hi,
> > I had some denials for ldconfig on Debian Sid. I took changes from
> > Fedora policy package - a patch attached. I grabed only things needed
> > to suppress denials below from Fedora.
> > 
> > audit(1203580520.435:11): avc:  denied  { read } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > audit(1203580520.435:12): avc:  denied  { getattr } for  pid=3985 comm="ldconfig" name="aux-cache" dev=sda1 ino=294984 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> > audit(1203580520.907:13): avc:  denied  { write } for  pid=3985 comm="ldconfig" name="ldconfig" dev=sda1 ino=294986 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > audit(1203580520.907:14): avc:  denied  { add_name } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
> > audit(1203580520.907:15): avc:  denied  { create } for  pid=3985 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
> 
> This is the right fix, and basically the same fix is queued up for
> merging as part of Dan's patch set.

When se_aptitude or se_apt is ran on Debian (apt or aptitude execution wrapped
with run_init), then the ldconfig called from a postinst and/or a postrm
scripts of shared libs brings following denials:

Feb 28 12:24:59 sid kernel: audit(1204197899.429:13): avc:  denied  { read write } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Feb 28 12:24:59 sid kernel: audit(1204197899.429:14): avc:  denied  { use } for  pid=3209 comm="ldconfig" name="2" dev=devpts ino=4 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
Feb 28 12:24:59 sid kernel: audit(1204197899.429:15): avc:  denied  { write } for  pid=3209 comm="ldconfig" name="[23124]" dev=pipefs ino=23124 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file

The attached patch (wich replaces my previos patch) suppresses these messages.
Maybe this could be solved also by adding unconfined_domain(ldconfig_t) like
Fedora or Ubuntu solves this. (This could be added to.)

Regards
-- 
Zito
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libraries.ldconfig.2.patch
Type: text/x-diff
Size: 1621 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20080229/6c7e221c/attachment.patch