Bug 150465

Summary: squid -v outputs nothing if logged on pts
Product: [Fedora] Fedora Reporter: JuanJo Ciarlante <jjo>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-21 16:21:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description JuanJo Ciarlante 2005-03-07 13:04:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6)
Gecko/20050302 Firefox/1.0.1 Fedora/1.0.1-1.3.2

Description of problem:
If logged in on a pts (eg. xterm, ssh), "squid -v" outputs nothing 
(it should output version and ./configure information).
avc messages don't appear because of squid.te dontaudit rule.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.17.30-2.83

How reproducible:
Always

Steps to Reproduce:
0. (using little customized policy src). ie: 
   make -C /etc/selinux/targeted/src/policy reload
1. Open an xterm or login via ssh
2. run /usr/sbin/squid -v
3. dmesg| tail -1
    

Actual Results:  2. no output
3. no avc related msgs

Expected Results:  Something like this:
Squid Cache: Version 2.5.STABLE8
configure options:  --build=i386-redhat-linux --host=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr ...
... alot of configure options ...

Additional info:

* Workaround: 
   squid -v | cat

* Patch (selinux-policy-targeted-sources-1.17.30-2.83):
--- domains/program/squid.te.dist       2005-03-06 22:13:15.000000000
-0300
+++ domains/program/squid.te    2005-03-06 22:12:39.000000000 -0300
@@ -39,6 +39,7 @@
 allow squid_t sysctl_kernel_t:file read;

 allow squid_t devtty_t:chr_file rw_file_perms;
+allow squid_t devpts_t:chr_file rw_file_perms;

 allow squid_t { self proc_t }:file { read getattr };

Comment 1 Daniel Walsh 2005-03-07 18:33:53 UTC
+allow squid_t devpts_t:chr_file rw_file_perms;  

This a potentially dangerous rule, and the previous line probably
should be removed also.

If you change it to 

allow squid_t devtty_t:chr_file write;
allow squid_t devpts_t:chr_file write;

Does it work?

Dan



Comment 2 JuanJo Ciarlante 2005-03-08 14:43:44 UTC
Nop; write it's not sufficient.

I started from rw_file_perms down to this minimun:
  allow squid_t devpts_t:chr_file { read write };
to get squid -v output again.




Comment 3 Daniel Walsh 2005-04-21 16:21:16 UTC
Ok This is fixed in Rawhide, unconfined_t no longer transitions to squid_t, so 
it will run in the unconfined domain and have this priv.