From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: Derek Schrock <dereks@lifeofadishwasher.com>, passt-dev@passt.top
Subject: Re: [PATCH] selinux: Allow access to user_devpts
Date: Tue, 28 May 2024 19:25:15 +1000 [thread overview]
Message-ID: <ZlWi-xzaaXhh3STJ@zatzit> (raw)
In-Reply-To: <20240528101256.37a74bc8@elisabeth>
[-- Attachment #1: Type: text/plain, Size: 1930 bytes --]
On Tue, May 28, 2024 at 10:12:56AM +0200, Stefano Brivio wrote:
> On Tue, 28 May 2024 16:55:55 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>
> > On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote:
> > > Allow access to user_devpts.
> > >
> > > $ pasta --version
> > > pasta 0^20240510.g7288448-1.fc40.x86_64
> > > ...
> > > $ awk '' < /dev/null
> > > $ pasta --version
> > > $
> > >
> > > While this might be a awk bug it appears pasta should still have access
> > > to devpts.
>
> Derek, thanks for the patch!
>
> > It's not clear to me why pasta would need any access to /dev/pts. The
> > shell that pasta spawns does, of course, but it should already live in
> > a difference security context.
>
> Note that that doesn't happen in a shell pasta spawned: pasta --version
> doesn't do that.
Oh, good point. I missed what was going on in that example.
> It's just that after that awk comamnd, enabling access to
> user_tty_device_t doesn't seem to be enough anymore, we need
> user_devpts_t then. Which is probably something reasonable to enable
> anyway.
Hmmm.. this still doesn't make sense to me. AFAIK, /dev/pts is about
managing pseudo-ttys, I see no reason we'd need to do that. Our
stdout *could* be a pseudo-tty, I suppose. But surely selinux can't
be requiring us to explicitly allow for any possible stdout/stderr
target? Especially not one as completely routine as a pseudo-tty -
that will be the case for anything run in an xterm.
I also can't fathom why running awk would change anything. Could
there be something bogus in the selinux profile of the original shell
which allows the awk invocation to change the context somehow?
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-05-28 9:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-26 22:28 [PATCH] selinux: Allow access to user_devpts Derek Schrock
2024-05-28 6:55 ` David Gibson
2024-05-28 8:12 ` Stefano Brivio
2024-05-28 9:25 ` David Gibson [this message]
2024-05-28 18:11 ` Derek Schrock
2024-05-29 13:16 ` Stefano Brivio
2024-06-05 16:23 ` Stefano Brivio
2024-06-07 18:48 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZlWi-xzaaXhh3STJ@zatzit \
--to=david@gibson.dropbear.id.au \
--cc=dereks@lifeofadishwasher.com \
--cc=passt-dev@passt.top \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).