From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 2E3415A004C for ; Tue, 28 May 2024 11:25:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1716888322; bh=mjFUqg+Bdiyq5lk9+ONtDb35zwrNJcMQgNSqQ3aMtHw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=LKI7KkyRyS38cVqSxVOhPJsWb4qMaPr7jP5fW2ZQ+yC1kWKr0Nv43AOnajYaxBc1X kzp7J7AAjaKNRmyvWNkDczH4O30Ycd2EKikK29iiZhXVSUURQScwpXxb1kHvfM9wqK Kj+bH34iVeP4SvN7d8hlf6kMC1m2kYZXxdQlvlTqUNly7ouZEwrT3gsjBesUDAJt33 dCfM6x09lYibSnawS/n+XSRQ/NHO5rJKEqjxRmq47jB5APlx8uthFtqghqdDginwS/ lj3rCkiSy2ckgX3zeNnKT0s1mbTDcNzxvGRgPnG9pF1MKUo2EPwXV41yHrhJ7AlwSX W9J7O/CMkMOtg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4VpRv60X91z4x2d; Tue, 28 May 2024 19:25:22 +1000 (AEST) Date: Tue, 28 May 2024 19:25:15 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH] selinux: Allow access to user_devpts Message-ID: References: <20240528101256.37a74bc8@elisabeth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gFDruX5ZzmT8om+S" Content-Disposition: inline In-Reply-To: <20240528101256.37a74bc8@elisabeth> Message-ID-Hash: NTEOXCMUJ7XHHSAXMQCZOCGQISMQTFN3 X-Message-ID-Hash: NTEOXCMUJ7XHHSAXMQCZOCGQISMQTFN3 X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Derek Schrock , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --gFDruX5ZzmT8om+S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 28, 2024 at 10:12:56AM +0200, Stefano Brivio wrote: > On Tue, 28 May 2024 16:55:55 +1000 > David Gibson wrote: >=20 > > On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote: > > > Allow access to user_devpts. > > >=20 > > > $ pasta --version > > > pasta 0^20240510.g7288448-1.fc40.x86_64 > > > ... > > > $ awk '' < /dev/null > > > $ pasta --version > > > $ > > >=20 > > > While this might be a awk bug it appears pasta should still have acce= ss > > > to devpts. =20 >=20 > Derek, thanks for the patch! >=20 > > It's not clear to me why pasta would need any access to /dev/pts. The > > shell that pasta spawns does, of course, but it should already live in > > a difference security context. >=20 > Note that that doesn't happen in a shell pasta spawned: pasta --version > doesn't do that. Oh, good point. I missed what was going on in that example. > It's just that after that awk comamnd, enabling access to > user_tty_device_t doesn't seem to be enough anymore, we need > user_devpts_t then. Which is probably something reasonable to enable > anyway. Hmmm.. this still doesn't make sense to me. AFAIK, /dev/pts is about managing pseudo-ttys, I see no reason we'd need to do that. Our stdout *could* be a pseudo-tty, I suppose. But surely selinux can't be requiring us to explicitly allow for any possible stdout/stderr target? Especially not one as completely routine as a pseudo-tty - that will be the case for anything run in an xterm. I also can't fathom why running awk would change anything. Could there be something bogus in the selinux profile of the original shell which allows the awk invocation to change the context somehow? --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --gFDruX5ZzmT8om+S Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmZVoucACgkQzQJF27ox 2GdohQ//ZFPrhtJmKx2UipqqDb5ASWJpcNj0h7AJLhyoa5zl0BSkAk3H8TirZP0i bOUr++prx5ivBxsW7Bk/oClZ2aw+aa7+zI7PwAEqqBrg08PmYGgSTXVjsw+yUxUq VC5F0mLqC2qVxWZ0AjK/ShZpELUvtxQ/u+TBhaGDmf12DmlMSeynqxN+z3iePXMi 40+65bTimkT+marnI/NXazZsmi6xbmR7xuvGt8dJyQLmo5N9mWSCY4GrvjhDH+DF mFXuvKzuVApf6gnNlHWmCLTIK+1SSNUWv04YVbsui2fMJZg/4YHGY6K8v1Mlppo1 4p4cEajdJOcnNx+Fu+N+Glo28hqs094UT6YBMtbYdyDZ1HrEOcL611+v4v0ZQQ+v NCEk4L33NTdplHWrRr8jon4P0ALKnP2pLUliW0ye5BoUAm3FsiHcVbM3l5ijpYkw q5QxeRT91d8gcUHhH0IMO+lUowehz8eAuDiW5AUl/UqXejt4scqE4cy7R7DXA0/n ECRMzNAnqUFJgwkvDbuf72Khovee6mQsTTPu6FO56ji3ieo4Nox9tsjLZPpTwQvJ U2oJvtyeVBESAUki7uy7FCFZALFh/XZUcG3ZTTHJCQwraSgw6Hm3UNoAUSVp0mqb SbKu+3OGhOG8z2PrbWBm3N/TaMzPKQjSETZ+FIiAOdw6y2pA9wU= =od4Z -----END PGP SIGNATURE----- --gFDruX5ZzmT8om+S--