From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 2E3415A004C
	for <passt-dev@passt.top>; Tue, 28 May 2024 11:25:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1716888322;
	bh=mjFUqg+Bdiyq5lk9+ONtDb35zwrNJcMQgNSqQ3aMtHw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=LKI7KkyRyS38cVqSxVOhPJsWb4qMaPr7jP5fW2ZQ+yC1kWKr0Nv43AOnajYaxBc1X
	 kzp7J7AAjaKNRmyvWNkDczH4O30Ycd2EKikK29iiZhXVSUURQScwpXxb1kHvfM9wqK
	 Kj+bH34iVeP4SvN7d8hlf6kMC1m2kYZXxdQlvlTqUNly7ouZEwrT3gsjBesUDAJt33
	 dCfM6x09lYibSnawS/n+XSRQ/NHO5rJKEqjxRmq47jB5APlx8uthFtqghqdDginwS/
	 lj3rCkiSy2ckgX3zeNnKT0s1mbTDcNzxvGRgPnG9pF1MKUo2EPwXV41yHrhJ7AlwSX
	 W9J7O/CMkMOtg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4VpRv60X91z4x2d; Tue, 28 May 2024 19:25:22 +1000 (AEST)
Date: Tue, 28 May 2024 19:25:15 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Subject: Re: [PATCH] selinux: Allow access to user_devpts
Message-ID: <ZlWi-xzaaXhh3STJ@zatzit>
References: <ZlO3mubsVTI51BmM@ircbsd.lifeofadishwasher.com>
 <ZlV_-9elViO72i2n@zatzit>
 <20240528101256.37a74bc8@elisabeth>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="gFDruX5ZzmT8om+S"
Content-Disposition: inline
In-Reply-To: <20240528101256.37a74bc8@elisabeth>
Message-ID-Hash: NTEOXCMUJ7XHHSAXMQCZOCGQISMQTFN3
X-Message-ID-Hash: NTEOXCMUJ7XHHSAXMQCZOCGQISMQTFN3
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Derek Schrock <dereks@lifeofadishwasher.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ZlWi-xzaaXhh3STJ@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/NTEOXCMUJ7XHHSAXMQCZOCGQISMQTFN3/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--gFDruX5ZzmT8om+S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 28, 2024 at 10:12:56AM +0200, Stefano Brivio wrote:
> On Tue, 28 May 2024 16:55:55 +1000
> David Gibson <david@gibson.dropbear.id.au> wrote:
>=20
> > On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote:
> > > Allow access to user_devpts.
> > >=20
> > > 	$ pasta --version
> > > 	pasta 0^20240510.g7288448-1.fc40.x86_64
> > > 	...
> > > 	$ awk '' < /dev/null
> > > 	$ pasta --version
> > > 	$
> > >=20
> > > While this might be a awk bug it appears pasta should still have acce=
ss
> > > to devpts. =20
>=20
> Derek, thanks for the patch!
>=20
> > It's not clear to me why pasta would need any access to /dev/pts.  The
> > shell that pasta spawns does, of course, but it should already live in
> > a difference security context.
>=20
> Note that that doesn't happen in a shell pasta spawned: pasta --version
> doesn't do that.

Oh, good point.  I missed what was going on in that example.

> It's just that after that awk comamnd, enabling access to
> user_tty_device_t doesn't seem to be enough anymore, we need
> user_devpts_t then. Which is probably something reasonable to enable
> anyway.

Hmmm.. this still doesn't make sense to me.  AFAIK, /dev/pts is about
managing pseudo-ttys, I see no reason we'd need to do that.  Our
stdout *could* be a pseudo-tty, I suppose.  But surely selinux can't
be requiring us to explicitly allow for any possible stdout/stderr
target?  Especially not one as completely routine as a pseudo-tty -
that will be the case for anything run in an xterm.

I also can't fathom why running awk would change anything.  Could
there be something bogus in the selinux profile of the original shell
which allows the awk invocation to change the context somehow?

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--gFDruX5ZzmT8om+S
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmZVoucACgkQzQJF27ox
2GdohQ//ZFPrhtJmKx2UipqqDb5ASWJpcNj0h7AJLhyoa5zl0BSkAk3H8TirZP0i
bOUr++prx5ivBxsW7Bk/oClZ2aw+aa7+zI7PwAEqqBrg08PmYGgSTXVjsw+yUxUq
VC5F0mLqC2qVxWZ0AjK/ShZpELUvtxQ/u+TBhaGDmf12DmlMSeynqxN+z3iePXMi
40+65bTimkT+marnI/NXazZsmi6xbmR7xuvGt8dJyQLmo5N9mWSCY4GrvjhDH+DF
mFXuvKzuVApf6gnNlHWmCLTIK+1SSNUWv04YVbsui2fMJZg/4YHGY6K8v1Mlppo1
4p4cEajdJOcnNx+Fu+N+Glo28hqs094UT6YBMtbYdyDZ1HrEOcL611+v4v0ZQQ+v
NCEk4L33NTdplHWrRr8jon4P0ALKnP2pLUliW0ye5BoUAm3FsiHcVbM3l5ijpYkw
q5QxeRT91d8gcUHhH0IMO+lUowehz8eAuDiW5AUl/UqXejt4scqE4cy7R7DXA0/n
ECRMzNAnqUFJgwkvDbuf72Khovee6mQsTTPu6FO56ji3ieo4Nox9tsjLZPpTwQvJ
U2oJvtyeVBESAUki7uy7FCFZALFh/XZUcG3ZTTHJCQwraSgw6Hm3UNoAUSVp0mqb
SbKu+3OGhOG8z2PrbWBm3N/TaMzPKQjSETZ+FIiAOdw6y2pA9wU=
=od4Z
-----END PGP SIGNATURE-----

--gFDruX5ZzmT8om+S--