Bug#499016: /usr/bin/ldd: SE Linux workaround improvement
Package: libc6
Version: 2.7-13
Severity: normal
File: /usr/bin/ldd
Tags: patch
Hi,
Ldd already contains a workaround for SE Linux for access to users
terminal through file descriptor of standard output. It should be
improved by handling all three standard file descriptors. Only standard
output is used, but stdin and stderr are also inherited by traced
process and SE Linux says about permission `use' file descriptor. I got
SE Linux denial with original ldd running on elf with domain transition
(e.g. /sbin/udevd):
sid:~# ldd.orig /sbin/udevd
[ 3827.214599] type=1400 audit(1221475672.463:16): avc: denied { use } for pid=9673 comm="udevd" path="/dev/tty1" dev=tmpfs ino=1024 scontext=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0 tclass=fd
[ 3827.221873] type=1300 audit(1221475672.463:16): arch=40000003 syscall=11 success=yes exit=0 a0=91dea88 a1=91d61e8 a2=91d5308 a3=0 items=0 ppid=9672 pid=9673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
linux-gate.so.1 => (0xb7ef0000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7ecf000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7d74000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7d6f000)
/lib/ld-linux.so.2 (0xb7ef1000)
So denial on usage of file descriptor is emitted by SE Linux. After some
experimenting I found that closing standard input and redirecting
standard error also solves this. Attached is a patch. Can you report
this upstream please?
Regards
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libgcc1 1:4.3.2-1 GCC support library
libc6 recommends no packages.
Versions of packages libc6 suggests:
ii glibc-doc 2.7-13 GNU C Library: Documentation
ii libc6-i686 2.7-13 GNU C Library: Shared libraries [i
ii locales 2.7-13 GNU C Library: National Language (
-- debconf information excluded
--- /usr/bin/ldd.orig 2008-07-29 07:21:35.000000000 +0200
+++ /usr/bin/ldd 2008-09-15 12:22:01.000000000 +0200
@@ -114,7 +114,7 @@
# option, and we don't bother to handle the case for older bash versions.
if set -o pipefail 2> /dev/null; then
try_trace() {
- eval $add_env '"$@"' | cat
+ eval $add_env '"$@"' <&- 2>&1 | cat
}
else
try_trace() {
Reply to: