From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334]) by passt.top (Postfix) with ESMTPS id 3DCE55A004C for ; Tue, 28 May 2024 20:11:42 +0200 (CEST) Received: by mail-ot1-x334.google.com with SMTP id 46e09a7af769-6f12171523eso548706a34.1 for ; Tue, 28 May 2024 11:11:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifeofadishwasher.com; s=google; t=1716919901; x=1717524701; darn=passt.top; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=e3/erYSzeic7b/jkNl8iG03fx/bPOa30XSLyvwlrdZQ=; b=Yne50VF3TEDIJ/Dh2o4BGb5siQ889ah6cQnPn3R68TTumHjMrb/2HohktPgPL6L4Fy aSEf0+gt6xNq5XuodnNfQ7Jh3i+f2/avsPtceDlIeKV2oeHqlCzJSCExfFyvwSHpBkL4 8sGzwUob2xUxU2OAT4dIeZS8LyK0P//XOdcyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716919901; x=1717524701; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=e3/erYSzeic7b/jkNl8iG03fx/bPOa30XSLyvwlrdZQ=; b=FLrU04Jp4t1ldDaf6YpboZqRz15rH1NFa2MjUtCJx8F6u/N9F7brmIB3zoj4PrsQzF 3GIPP8uPAHe3nabT6f9XAVoJUzDouXIod+d6h2RKSausAVTpmjOPIoAULYhj54HGCXFy 25IsGK67IKufVgnTsZYOWeZ3Y9cMZmjurY19NoB/nRcuoaFYVHNLReyZipbaTK2nsiCG EQt9eYAsKiHqGpsr+dxvggiwQ/zTCCXPm3sgeoK0jm0s8L4Q6eGb359SDmdnzIHMN6l4 fFL/T8TKEWa5K3e48LUvADoqzBmniHE2CDbQT5d3+llhT1MoGlTKRHh8JKHbnQNg+nSv yGPw== X-Forwarded-Encrypted: i=1; AJvYcCVQj+1EpqDX0+MZ5AsPpoACXPzrHbrx+LfcB+haj9j2OdtvHl9w+bwQTZlnmXCGroQwX5wEsV+MorcAM3uTaGtyRjXs X-Gm-Message-State: AOJu0Yxhoa+hl6MzHrJ8RmuhOKqD/qBKeSfTG+ZSn5+B9Pma3FgMSPEv C5XcB3h7/wCKx4nvGRRnNYQEeNJXb9dOrxzrHelHehGcRR6/WtYplE7f+ghO7cVECFTKUsdIfD0 = X-Google-Smtp-Source: AGHT+IGoktVj/DgDOz0jri3UMjk9gjgZsd3ieVuJcZCFqTdyd8mwUz/tQ8SXNRLEob/I5NXdpKwjtw== X-Received: by 2002:a05:6870:d0c9:b0:24f:c77f:1e94 with SMTP id 586e51a60fabf-24fc77f5b1cmr9344058fac.56.1716919900172; Tue, 28 May 2024 11:11:40 -0700 (PDT) Received: from lifeofadishwasher.com ([2601:547:1900:3230:88a3:7121:5740:34d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-794abd368cesm402753085a.119.2024.05.28.11.11.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 May 2024 11:11:39 -0700 (PDT) Received: by lifeofadishwasher.com (sSMTP sendmail emulation); Tue, 28 May 2024 14:11:37 -0400 Date: Tue, 28 May 2024 14:11:37 -0400 From: Derek Schrock To: David Gibson Subject: Re: [PATCH] selinux: Allow access to user_devpts Message-ID: References: <20240528101256.37a74bc8@elisabeth> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-MailFrom: dereks@lifeofadishwasher.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: NZ4MMZLWLBBKWW4WIEBOXTY5XGGLWKRJ X-Message-ID-Hash: NZ4MMZLWLBBKWW4WIEBOXTY5XGGLWKRJ X-Mailman-Approved-At: Wed, 29 May 2024 15:02:07 +0200 CC: Stefano Brivio , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Tue, May 28, 2024 at 05:25:15AM EDT, David Gibson wrote: > On Tue, May 28, 2024 at 10:12:56AM +0200, Stefano Brivio wrote: > > On Tue, 28 May 2024 16:55:55 +1000 > > David Gibson wrote: > > > > > On Sun, May 26, 2024 at 06:28:42PM -0400, Derek Schrock wrote: > > > > Allow access to user_devpts. > > > > > > > > $ pasta --version > > > > pasta 0^20240510.g7288448-1.fc40.x86_64 > > > > ... > > > > $ awk '' < /dev/null > > > > $ pasta --version > > > > $ > > > > > > > > While this might be a awk bug it appears pasta should still have access > > > > to devpts. > > > > Derek, thanks for the patch! > > > > > It's not clear to me why pasta would need any access to /dev/pts. The > > > shell that pasta spawns does, of course, but it should already live in > > > a difference security context. > > > > Note that that doesn't happen in a shell pasta spawned: pasta --version > > doesn't do that. > > Oh, good point. I missed what was going on in that example. > > > It's just that after that awk comamnd, enabling access to > > user_tty_device_t doesn't seem to be enough anymore, we need > > user_devpts_t then. Which is probably something reasonable to enable > > anyway. > > Hmmm.. this still doesn't make sense to me. AFAIK, /dev/pts is about > managing pseudo-ttys, I see no reason we'd need to do that. Our > stdout *could* be a pseudo-tty, I suppose. But surely selinux can't > be requiring us to explicitly allow for any possible stdout/stderr > target? Especially not one as completely routine as a pseudo-tty - > that will be the case for anything run in an xterm. > > I also can't fathom why running awk would change anything. Could > there be something bogus in the selinux profile of the original shell > which allows the awk invocation to change the context somehow? Don't know if it means anything but stdout still works just not to the interactive shell with pasta post awk: $ awk '' < /dev/null $ pasta --version | wc -l 7 $ This is also reproducible in rocky9 (most likely RHEL9 too). If that's the case do you want me a ticket with Red Hat? create a case with Red Hat