Bug#499016: /usr/bin/ldd: SE Linux workaround improvement

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#499016: /usr/bin/ldd: SE Linux workaround improvement
From: Vaclav Ovsik <vaclav.ovsik@i.cz>
Date: Mon, 15 Sep 2008 13:26:47 +0200
Message-id: <[🔎] 20080915112647.3400.299.reportbug@xenbr0.localdomain>
Reply-to: Vaclav Ovsik <vaclav.ovsik@i.cz>, 499016@bugs.debian.org

Package: libc6
Version: 2.7-13
Severity: normal
File: /usr/bin/ldd
Tags: patch

Hi,
Ldd already contains a workaround for SE Linux for access to users
terminal through file descriptor of standard output. It should be
improved by handling all three standard file descriptors. Only standard
output is used, but stdin and stderr are also inherited by traced
process and SE Linux says about permission `use' file descriptor. I got
SE Linux denial with original ldd running on elf with domain transition
(e.g. /sbin/udevd):

sid:~# ldd.orig /sbin/udevd
[ 3827.214599] type=1400 audit(1221475672.463:16): avc:  denied  { use } for  pid=9673 comm="udevd" path="/dev/tty1" dev=tmpfs ino=1024 scontext=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0 tclass=fd
[ 3827.221873] type=1300 audit(1221475672.463:16): arch=40000003 syscall=11 success=yes exit=0 a0=91dea88 a1=91d61e8 a2=91d5308 a3=0 items=0 ppid=9672 pid=9673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
    linux-gate.so.1 =>  (0xb7ef0000)
    libselinux.so.1 => /lib/libselinux.so.1 (0xb7ecf000)
    libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7d74000)
    libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7d6f000)
    /lib/ld-linux.so.2 (0xb7ef1000)

So denial on usage of file descriptor is emitted by SE Linux. After some
experimenting I found that closing standard input and redirecting
standard error also solves this. Attached is a patch. Can you report
this upstream please?
Regards
-- 
Zito


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libgcc1                       1:4.3.2-1  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  glibc-doc                     2.7-13     GNU C Library: Documentation
ii  libc6-i686                    2.7-13     GNU C Library: Shared libraries [i
ii  locales                       2.7-13     GNU C Library: National Language (

-- debconf information excluded

--- /usr/bin/ldd.orig	2008-07-29 07:21:35.000000000 +0200
+++ /usr/bin/ldd	2008-09-15 12:22:01.000000000 +0200
@@ -114,7 +114,7 @@
 # option, and we don't bother to handle the case for older bash versions.
 if set -o pipefail 2> /dev/null; then
   try_trace() {
-    eval $add_env '"$@"' | cat
+    eval $add_env '"$@"' <&- 2>&1 | cat
   }
 else
   try_trace() {

Reply to:

Prev by Date: Bug#498963: PACOTE: [INTL:pt] Updated Portuguese translation for debconf messages
Next by Date: equity loan
Previous by thread: Processed: setting package to tzdata-java tzdata, tagging 498963
Next by thread: equity loan
Index(es):
- Date
- Thread