From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by passt.top (Postfix) with ESMTPS id 8332C5A0306 for ; Tue, 28 May 2024 09:24:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1716881069; bh=GyznuMomlEwmG+OkJpu7ioOBGJ4czR676skNX1Q/rx4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=WwV8YDO7lToXzcRoRvN2Hg8mIPKvAitrctMyf0AL4r375TVXkfQthThl9G7MP7TFb 56ToWZGgh/kQgrOL8kncHBCBE6KHRDyCp2NOImKWHhlM63kTOWs0aBcHG872tDnHeb eOUyL16msquqeAuigA/Qq60gtrDBWQBqoOeMzPJw3H9eOQiwqiL9AS0yXmgwODfYkL V3+fZIMSsucuIQOlyGggJ1Vu2kriVLs4zBGZ4MAvt2STGTXftaGGd5lUTwmPuKsRLA ZBAlNfs3+OoHDyPbBAyGol5SzVtBXXvkeYfHe4utIlZLfskXHNylAUdK0js7R6viOx 8YtTUCdwmWoYg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4VpPCd5yvDz4x1T; Tue, 28 May 2024 17:24:29 +1000 (AEST) Date: Tue, 28 May 2024 16:55:55 +1000 From: David Gibson To: Derek Schrock Subject: Re: [PATCH] selinux: Allow access to user_devpts Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0bCLWsH/guDVNSyO" Content-Disposition: inline In-Reply-To: Message-ID-Hash: WGE4YHBIFGHRJVB37DCVT34YVPRDGC4Z X-Message-ID-Hash: WGE4YHBIFGHRJVB37DCVT34YVPRDGC4Z X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --0bCLWsH/guDVNSyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote: > Allow access to user_devpts. >=20 > $ pasta --version > pasta 0^20240510.g7288448-1.fc40.x86_64 > ... > $ awk '' < /dev/null > $ pasta --version > $ >=20 > While this might be a awk bug it appears pasta should still have access > to devpts. It's not clear to me why pasta would need any access to /dev/pts. The shell that pasta spawns does, of course, but it should already live in a difference security context. > --- > contrib/selinux/pasta.te | 1 + > 1 file changed, 1 insertion(+) >=20 > diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te > index 0ceda06..4e36c3f 100644 > --- a/contrib/selinux/pasta.te > +++ b/contrib/selinux/pasta.te > @@ -211,3 +211,4 @@ allow pasta_t ifconfig_t:process { noatsecure rlimiti= nh siginh }; > allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; > allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; > allow pasta_t user_tty_device_t:chr_file { append read write }; > +allow pasta_t user_devpts_t:chr_file { append read write }; --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --0bCLWsH/guDVNSyO Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmZVf9wACgkQzQJF27ox 2GdGpRAAk7NZbuo+yfQwxOFbLCab5BUS5qXSr5WKuCjRt59LR7pjtGJzCDEPmZ/4 Vh5u7RxdvMvKKxsEIfLAQtrT06Bgwp9I8gAM1xukRyBcYnO4GKdN4RXvAcRu4j8A aE18mxBOBJP+Cr+J2ep+KwGooaPakCLz5lPc+IIHanbujIRl2TsTT09BUIMm+eX5 9tozcVZpHHd4rnV362IazkZUSHrTPPUk7/k+02dQhtGX1yHX7/RYyaXUxFlR+qSh Kpj5Sd8wwe0jFNG7YVT22jOEimhxQ8ozlg9s7Tv/GDEOyzdDG8K7XCBiIA+jXDmL TLFuRW/qalWr2G4k3IFTGcN8Dcg30S8GkF9jmtuiLQnnz7GQZmBecH6Opozs32Im 4ADW9JjiMEZ+1VKo29nrhxEgsVwXcnGJW3mz14p532ottE92WUIYPTUnM2xksWPj pknbHzLEgW52KX/AEwDFqojEbN7nlMlJko6/YwoqBET/jtv3mcrIyhGKMpcfM9Gi Ns5TkW9HgqdpbDsPsIfKiayR+SP/mW3uzGGhgdbE5KsNJtu0Wl2C3t6uUjEKYRe8 Nr4seBrCITZxxs54YWCwKxPwqIHT1PwKKtF68WyYGjC1yJ3NlqFkfE9h+ZV5HdBo PlNEa8RaFSN32CEDOmRlJrH8pIRK4n6haSUoArNcJn6/r52Xn/c= =Q+1O -----END PGP SIGNATURE----- --0bCLWsH/guDVNSyO--