Package: dpkg
Version: 1.14.16.6
Severity: normal
Hi,
when analysing SELinux audit log I found, that post,pre...install...
scripts inherits the file-descriptor of pipe between apt and dpkg. This
descriptor causes the SELinux audit message:
audit(1205849195.192:35): avc: denied { write } for pid=4798 comm="ldconfig"
name="[15750]" dev=pipefs ino=15750 scontext=system_u:system_r:ldconfig_t:s0
tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file
after some investigation:
sid:~# se_apt-get install libcdb1
Authenticating root.
Password:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
libcdb1
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/11.9kB of archives.
After this operation, 36.9kB of additional disk space will be used.
Selecting previously deselected package libcdb1.
(Reading database ... 68311 files and directories currently installed.)
Unpacking libcdb1 (from .../archives/libcdb1_0.76_i386.deb) ...
Setting up libcdb1 (0.76) ...
sid:~# echo 'sleep 1000' >>/var/lib/dpkg/info/libcdb1.postrm
sid:~# se_apt-get remove --purge libcdb1
Authenticating root.
Password:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
libcdb1*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 36.9kB disk space will be freed.
(Reading database ... 68315 files and directories currently installed.)
Removing libcdb1 ...
And while postrm script is waiting for sleep...
sid:~# ps axf
...
4776 pts/3 SN+ 0:47 | \_ /usr/sbin/run_init apt-get remove --purge
libcdb1
4782 pts/2 Ss+ 0:00 | \_ apt-get remove --purge libcdb1
4796 pts/5 Ss+ 0:00 | \_ /usr/bin/dpkg --status-fd 13
--force-depends --force-remove-essential
4797 pts/5 S+ 0:00 | \_ /bin/sh
/var/lib/dpkg/info/libcdb1.postrm remove
4799 pts/5 S+ 0:00 | \_ sleep 1000
...
sid:~# lsof -p 4782 -p 4796 -p 4797 -p 4799|grep FIFO
apt-get 4782 root 12r FIFO 0,6 15750 pipe
dpkg 4796 root 13w FIFO 0,6 15750 pipe
libcdb1.p 4797 root 13w FIFO 0,6 15750 pipe
sleep 4799 root 13w FIFO 0,6 15750 pipe
This information corresponds with the SELinux message above (fd 13, inode
15750). I think dpkg should not pass this descriptor down.
Best Regards!
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash
Versions of packages dpkg depends on:
ii coreutils 6.10-3 The GNU core utilities
ii libc6 2.7-9 GNU C Library: Shared libraries
dpkg recommends no packages.
-- no debconf information
--
Zito
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
