Bugs found by SELinux #5215
Labels
R: duplicate
Resolution: Another issue exists that is very similar to or subsumes this one.
Comments
|
Oops, double-post. Duplicate of #5124. |
andrewdavidwong
added
the
R: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Qubes OS version:
Qubes release 4.0 (R4.0)Affected component(s) or functionality:
Probably multiple. Bugs have been found in qrexec and qubes-firewall so far.
Steps to reproduce the behavior:
Run with SELinux in strict enforcing mode and start writing SELinux policies.
Expected or desired behavior:
qrexec-agentdoesn’t leak a Xen FD and a TTY FD to processes spawned by PAM.qubes-firewallships with.pycfiles in the RPM package.Actual behavior:
qrexec-agentleaks a Xen FD and a TTY FD to processes spawned by PAM.qubes-firewalldoesn’t ship with.pycfiles in the RPM package.General notes:
These show up as AVC denials. In the first case,
namespace_init_twas passed FDs belonging to Xen and a TTY, which SELinux (correctly) blocked. In the second case,init_twas trying to write compiled Python bytecode, which was also blocked.I have consulted the following relevant documentation:
I am aware of the following related, non-duplicate issues:
#4329, #4278, #4279
The text was updated successfully, but these errors were encountered: