[refpolicy] [patch 1/1] dmesg: reads /proc/version
Christopher J. PeBenito
cpebenito at tresys.com
Mon Feb 28 08:43:21 CST 2011
On 02/21/11 10:33, Daniel J Walsh wrote:
> On 02/21/2011 10:08 AM, Guido Trentalancia wrote:
>> Good afternoon Miroslav !
>
>> On Mon, 21/02/2011 at 15.14 +0000, Miroslav Grepl wrote:
>>> On 02/19/2011 05:07 AM, Guido Trentalancia wrote:
>>>> Hello Miroslav !
>>>>
>>>> On Fri, 18/02/2011 at 16.00 +0000, Miroslav Grepl wrote:
>>>>> http://mgrepl.fedorapeople.org/F15/admin_dmesg.patch
>>>>>
>>>>> * dmesg reads /proc/version
>>>>> * dmesg needs to access to abrt files
>>>> I couldn't find any reference in the source code for dmesg from
>>>> util-linux-ng versions 2.18 and 2.19 about the fact that "dmesg
>>>> reads /proc/version".
>>>>
>>>> Nor I have any indication from the audit logs on the test system I am
>>>> running that dmesg ever required that permission.
>>>>
>>>> Only mount needs to stat() /proc/version.
>>>>
>>>> So, where did you get that from ?
>>> There was a bug saying
>>>
>>> type=AVC msg=audit(1293078612.406:8): avc: denied { read } for pid=2405
>>> comm="dmesg" path="/proc/version" dev=proc ino=4026532016
>>> scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:proc_t:s0
>>> tclass=file
>
>> That's not a bug. It's an AVC denial. In other words, SELinux is
>> preventing some sort of operation.
>
>> It still sounds very odd to me.
>
>> In any case, I got curious about this issue and I went looking at
>> Fedora's package. Yes, F15 source package util-linux-2.19-1.fc15. I am
>> quite sure that such operation is not in the source code for dmesg.
>
>> Look by yourself, the code is so short ! It's only about calls to
>> klogctl().
>
>> Hope it helps. But let's quit this topic now, because I believe it is
>> off-theme for this list.
>
> There is a possiblity that the app/domain that executed dmesg, leaked an
> open file descriptor for read to dmesg, and that is being checked on exec.
There is also the possibility that its a glibc thing.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list