Package: selinux-policy-default
Version: 2:0.0.20080702-4
Severity: normal
Tags: patch
Hi,
running ldconfig with SE Linux enabled in the permissive mode results in:
[ 3990.114224] type=1400 audit(1218548500.328:31): avc: denied { read } for
pid=4714 comm="ldconfig" name="aux-cache" dev=hda2 ino=82125
scontext=unconfined_u:unconfined_r:ldconfig_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.124557] type=1300 audit(1218548500.328:31): arch=40000003 syscall=5
success=yes exit=3 a0=80c42dc a1=0 a2=90d48f0 a3=bf8d8a08 items=0 ppid=1816
pid=4714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig"
subj=unconfined_u:unconfined_r:ldconfig_t:s0 key=(null)
[ 3990.133965] type=1400 audit(1218548500.349:32): avc: denied { getattr }
for pid=4714 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev=hda2
ino=82125 scontext=unconfined_u:unconfined_r:ldconfig_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.141174] type=1300 audit(1218548500.349:32): arch=40000003 syscall=197
success=yes exit=0 a0=3 a1=bf8d8984 a2=90d48f0 a3=bf8d8a08 items=0 ppid=1816
pid=4714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig"
subj=unconfined_u:unconfined_r:ldconfig_t:s0 key=(null)
[ 3990.172814] type=1400 audit(1218548500.388:33): avc: denied { write } for
pid=4714 comm="ldconfig" name="ldconfig" dev=hda2 ino=81891
scontext=unconfined_u:unconfined_r:ldconfig_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir
[ 3990.178302] type=1400 audit(1218548500.388:33): avc: denied { add_name }
for pid=4714 comm="ldconfig" name="aux-cache~"
scontext=unconfined_u:unconfined_r:ldconfig_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir
[ 3990.183627] type=1400 audit(1218548500.388:33): avc: denied { create } for
pid=4714 comm="ldconfig" name="aux-cache~"
scontext=unconfined_u:unconfined_r:ldconfig_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.195683] type=1400 audit(1218548500.388:33): avc: denied { write } for
pid=4714 comm="ldconfig" name="aux-cache~" dev=hda2 ino=82129
scontext=unconfined_u:unconfined_r:ldconfig_t:s0
tcontext=unconfined_u:object_r:var_t:s0 tclass=file
[ 3990.200344] type=1300 audit(1218548500.388:33): arch=40000003 syscall=5
success=yes exit=3 a0=90d58a0 a1=20241 a2=180 a3=90d58a0 items=0 ppid=1816
pid=4714 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=4294967295 comm="ldconfig" exe="/sbin/ldconfig"
subj=unconfined_u:unconfined_r:ldconfig_t:s0 key=(null)
I already solved this and send a patch (taken from Fedora) upstream in
the past, but unfortunately it was not merged yet :(.
http://marc.info/?t=120369424100003&r=1&w=2
Attached is a patch against sources of Debian policy.
Regards.
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.0.1-2 Pluggable Authentication Modules f
ii libselinux1 2.0.65-4 SELinux shared libraries
ii libsepol1 2.0.30-2 Security Enhanced Linux policy lib
ii policycoreutils 2.0.49-5 SELinux core policy utilities
ii python 2.5.2-2 An interactive high-level object-o
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.0.16-1 SELinux policy compiler
ii setools 3.3.4.ds-4 tools for Security Enhanced Linux
Versions of packages selinux-policy-default suggests:
pn logcheck <none> (no description available)
pn syslog-summary <none> (no description available)
-- no debconf information
Index: policy/modules/system/libraries.fc
===================================================================
--- policy/modules/system/libraries.fc.orig 2008-08-12 16:08:33.000000000 +0200
+++ policy/modules/system/libraries.fc 2008-08-12 16:12:55.000000000 +0200
@@ -304,10 +304,9 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
-ifdef(`distro_debian', `
-/var/cache/ldconfig/aux-cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
-')
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
Index: policy/modules/system/libraries.te
===================================================================
--- policy/modules/system/libraries.te.orig 2008-08-12 16:08:33.000000000 +0200
+++ policy/modules/system/libraries.te 2008-08-12 16:12:26.000000000 +0200
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
type ldconfig_tmp_t;
files_tmp_file(ldconfig_tmp_t)
@@ -51,7 +54,9 @@
allow ldconfig_t self:capability sys_chroot;
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ldconfig_cache_t,ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
