Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should sysfs_t be split into more fine graded contexts? #1974

Open
TomasKorbar opened this issue Dec 15, 2023 · 1 comment
Open

Should sysfs_t be split into more fine graded contexts? #1974

TomasKorbar opened this issue Dec 15, 2023 · 1 comment

Comments

@TomasKorbar
Copy link
Contributor

Hi,
recently i have been debugging AVC denial that started occurring since Fedora 39 for my daemon written in Python.
I tracked down the issue to blake2 library's dependency on libgomp library which tries to find number of available CPUs by
reading of /sys/devices/system/cpu/possible. Seems like a valid use case for a library that provides support of parallel programming. The issue is that /sys/devices/system/cpu/possible file has sysfs_t context and thus if you want to satisfy this request, you give the daemon access to a lot more information than just how many CPUs the system has.
So my question is, shouldn't be there a separate context for CPU or perhaps more devices?
TomasKorbar added a commit to TomasKorbar/dnsconfd that referenced this issue Dec 15, 2023
@TomasKorbar
Add selinux rule allowing access to sysfs_t context
f430ed5 
Because of Python's dependency on libgomp on Fedora >= 38
we have to add access to sysfs_t so dnsconfd is able to read
/sys/devices/system/cpu/possible file

This is discussed in Fedora selinux policy upstream
fedora-selinux/selinux-policy#1974
TomasKorbar added a commit to TomasKorbar/dnsconfd that referenced this issue Dec 15, 2023
@TomasKorbar
Add selinux rule allowing access to sysfs_t context
41655f3 
Because of Python's dependency on libgomp on Fedora >= 38
we have to add access to sysfs_t so dnsconfd is able to read
/sys/devices/system/cpu/possible file

This is discussed in Fedora selinux policy upstream
fedora-selinux/selinux-policy#1974
@TomasKorbar TomasKorbar mentioned this issue Dec 15, 2023
Merged
TomasKorbar added a commit to InfrastructureServices/dnsconfd that referenced this issue Dec 15, 2023
@TomasKorbar
Add selinux rule allowing access to sysfs_t context
af3f5d2 
Because of Python's dependency on libgomp on Fedora >= 38
we have to add access to sysfs_t so dnsconfd is able to read
/sys/devices/system/cpu/possible file

This is discussed in Fedora selinux policy upstream
fedora-selinux/selinux-policy#1974
@zpytela
Copy link
Contributor

zpytela commented Dec 15, 2023

Hi Tomas,
You are right the policy should be more fine-grained in /sys, especially when the write permission is needed, but it's currently not implemented this way.
Please use interfaces when accessing types from other modules, like dev_read_sysfs() or request creating new ones.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zpytela @TomasKorbar