From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id 24AEC5A0304
	for <passt-dev@passt.top>; Wed, 29 May 2024 15:17:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1716988630;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=knd0E64TF6z+k/Q/ZOUetOell1ABiNEc2XqwbM1fPoY=;
	b=SJnN9S93YRZiTLZf8j6po29okrlkzUpbBz3aXXDQhwy7UK1vf95NxHao9DejYhdXW5n4FT
	/kdMF8SGmnUfJUx61+AeL0DIWb046ldZ+Fjts9mj7k3OPOD7CjRSH9sVUXI930x2AmcMhw
	WPQgR6eW03fRt9dKDmnGWVRM+W5Sv5M=
Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com
 [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-253-qxFbOQhdN0ynsFRd5cJyaA-1; Wed, 29 May 2024 09:17:08 -0400
X-MC-Unique: qxFbOQhdN0ynsFRd5cJyaA-1
Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a633ca5cb4cso92251866b.2
        for <passt-dev@passt.top>; Wed, 29 May 2024 06:17:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1716988626; x=1717593426;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=knd0E64TF6z+k/Q/ZOUetOell1ABiNEc2XqwbM1fPoY=;
        b=u3iNT2Z95VgCvEv4LQN94/fe9CRxA1+tqVmL82n8KCKiNbF+Veow9mtpaLDmkU35fG
         Wnqebp+cp1iE6soDiL05r9mcWa4lPZzSaBETyxrCgUy4UKduHjzdObK+OrR3GoMtSR0f
         VIKWkYL2M2PyWvsepOnyUnj8F0E+LQoj5d7BTDoVWUg492ygIovrQ5cjc5fkcFu1YcXN
         V83fNyMB8nkL/e0YeOac3xwUuIWaypGO2cMObKZGtnKBuamW+AjyG9lG7zVDuXGbrtnO
         M8Bia2XWAIXbuqGUBhg7q2bta6N/MUiaY007euRFn4RTFdWNXlwD23ataAwkNpWRjhWQ
         QvrQ==
X-Forwarded-Encrypted: i=1; AJvYcCXS71UvbXH9FgBdmIF+jDASNkKByAOuNa0n4ZpE9a0v/ps1xD7xHicCHadJnFULk4MhnLOTfNpaz6cnKBUVjqm8Qdbt
X-Gm-Message-State: AOJu0YzF6hxJ1hcqawKtdIgULEACJ3A23XKKZ06qQPoHVyFpInfIeiPm
	nqZD+YKiWj0yzXZgVkeK0TCvbT0uvHTw5kUbJxvV9pHoKu6p1JCOhsnk0iXaCTGimCtpvFapJ5k
	u+4kLLy+SnruYMjjPHEPjxfIN6kvEkVoRKGKIbP/65mWitR0XhFYhlY6JaYlI
X-Received: by 2002:a17:906:5948:b0:a59:a7b7:2b8f with SMTP id a640c23a62f3a-a62641b42efmr949023466b.9.1716988626007;
        Wed, 29 May 2024 06:17:06 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IG1j3D7cE5hgeyi5t6FW2zMGtLNF0RQZfTNjwX/1LHwcxcPaw7Tk2JT4sDery72+nB4m5WKUw==
X-Received: by 2002:a17:906:5948:b0:a59:a7b7:2b8f with SMTP id a640c23a62f3a-a62641b42efmr949021766b.9.1716988625195;
        Wed, 29 May 2024 06:17:05 -0700 (PDT)
Received: from maya.cloud.tilaa.com (maya.cloud.tilaa.com. [164.138.29.33])
        by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a626cda6e1esm713723166b.215.2024.05.29.06.17.03
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 29 May 2024 06:17:04 -0700 (PDT)
Date: Wed, 29 May 2024 15:16:30 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Derek Schrock <dereks@lifeofadishwasher.com>
Subject: Re: [PATCH] selinux: Allow access to user_devpts
Message-ID: <20240529151630.31002d62@elisabeth>
In-Reply-To: <ZlYeWaAi8tdWHF2v@ircbsd.lifeofadishwasher.com>
References: <ZlO3mubsVTI51BmM@ircbsd.lifeofadishwasher.com>
	<ZlV_-9elViO72i2n@zatzit>
	<20240528101256.37a74bc8@elisabeth>
	<ZlWi-xzaaXhh3STJ@zatzit>
	<ZlYeWaAi8tdWHF2v@ircbsd.lifeofadishwasher.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.36; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: 2FIUVA7VFZD7MLFX7E763XFA7GAMTX4K
X-Message-ID-Hash: 2FIUVA7VFZD7MLFX7E763XFA7GAMTX4K
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: David Gibson <david@gibson.dropbear.id.au>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240529151630.31002d62@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/2FIUVA7VFZD7MLFX7E763XFA7GAMTX4K/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Tue, 28 May 2024 14:11:37 -0400
Derek Schrock <dereks@lifeofadishwasher.com> wrote:

> On Tue, May 28, 2024 at 05:25:15AM EDT, David Gibson wrote:
> > On Tue, May 28, 2024 at 10:12:56AM +0200, Stefano Brivio wrote:  
> > > On Tue, 28 May 2024 16:55:55 +1000
> > > David Gibson <david@gibson.dropbear.id.au> wrote:
> > >   
> > > > On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote:  
> > > > > Allow access to user_devpts.
> > > > > 
> > > > > 	$ pasta --version
> > > > > 	pasta 0^20240510.g7288448-1.fc40.x86_64
> > > > > 	...
> > > > > 	$ awk '' < /dev/null
> > > > > 	$ pasta --version
> > > > > 	$
> > > > > 
> > > > > While this might be a awk bug it appears pasta should still have access
> > > > > to devpts.    
> > > 
> > > Derek, thanks for the patch!
> > >   
> > > > It's not clear to me why pasta would need any access to /dev/pts.  The
> > > > shell that pasta spawns does, of course, but it should already live in
> > > > a difference security context.  
> > > 
> > > Note that that doesn't happen in a shell pasta spawned: pasta --version
> > > doesn't do that.  
> > 
> > Oh, good point.  I missed what was going on in that example.
> >   
> > > It's just that after that awk comamnd, enabling access to
> > > user_tty_device_t doesn't seem to be enough anymore, we need
> > > user_devpts_t then. Which is probably something reasonable to enable
> > > anyway.  
> > 
> > Hmmm.. this still doesn't make sense to me.  AFAIK, /dev/pts is about
> > managing pseudo-ttys, I see no reason we'd need to do that.  Our
> > stdout *could* be a pseudo-tty, I suppose.  But surely selinux can't
> > be requiring us to explicitly allow for any possible stdout/stderr
> > target?

...there might be something that subsumes both possibilities (or all of
them), I need to look into it.

> > Especially not one as completely routine as a pseudo-tty -
> > that will be the case for anything run in an xterm.
> > 
> > I also can't fathom why running awk would change anything.  Could
> > there be something bogus in the selinux profile of the original shell
> > which allows the awk invocation to change the context somehow?  
> 
> Don't know if it means anything but stdout still works just not to the
> interactive shell with pasta post awk:
> 
> 	$ awk '' < /dev/null
> 	$ pasta --version | wc -l 
> 	7
> 	$
> 
> This is also reproducible in rocky9 (most likely RHEL9 too).  If that's
> the case do you want me a ticket with Red Hat?
> create a case with Red Hat

I don't think we can exclude an issue with passt's upstream SELinux
policy, yet. I'm off this week, let me have a look next week and I'll
get back to you.

-- 
Stefano