whatthe
December 8, 2020, 8:26am
#1
hey all
I it possible for Manjaro to upgrade libqb to 1.0.6 on the next update?
//github.com/ClusterLabs/libqb/releases/tag/v1.0.6
This is a minor update to the stable version of libqb. Mainly to allow it to work on gcc 10. There are a few other small changes too:
Christine Caulfield (3):
bump version for 1.0.6
Backported fixe...
in my official repository I can only update to 1.0.5-2
I need this update because usbguard is giving me problems and the fix that is explained here:
opened 08:45AM - 03 May 19 UTC
closed 10:18AM - 20 May 20 UTC
Since today on Fedora Rawhide i noticed that usbguard needs CAP_DAC_OVERRIDE
It… might be one of its dependencies that actually triggers this since i havent actually seen a usbguard update in fedora for some time.
Anyhow. I noticed that usbguard started to maintain its IPC /dev/shm objects in a directory:
```
[root@brutus ~]# ls -alZ /dev/shm
total 0
drwxrwxrwt. 3 root root sys.id:sys.role:fs.tmpfs.fs:s0 60 May 3 10:38 .
drwxr-xr-x. 20 root root sys.id:sys.role:fs.devtmpfs.fs:s0 4160 May 3 10:32 ..
drwxrwx---. 2 kcinimod kcinimod sys.id:sys.role:fs.tmpfs.fs:s0 160 May 3 10:34 qb-2728-1703-24-h4NOFB
```
However if you look at the permissions and ownership of this directory then you notice that `root` does not have access to this location.
This triggers a CAP_DAC_OVERRIDE:
```
May 03 10:34:06 brutus audit[1226]: AVC avc: denied { dac_override } for pid=1226 comm="usbguard-daemon" capability=1 scontext=sys.id:sys.role:usbguard.daemon.subj:s0 tcontext=sys.id:sys.role:usbguard.daemon.subj:s0 tclass=capability permissive=1
May 03 10:34:06 brutus audit[1226]: AVC avc: denied { dac_read_search } for pid=1226 comm="usbguard-daemon" capability=2 scontext=sys.id:sys.role:usbguard.daemon.subj:s0 tcontext=sys.id:sys.role:usbguard.daemon.subj:s0 tclass=capability permissive=1
May 03 10:34:06 brutus audit[1226]: AVC avc: denied { rmdir } for pid=1226 comm="usbguard-daemon" name="`qb-1208-1703-24-pUgZpU" dev="tmpfs" ino=39514 scontext=sys.id:sys.role:usbguard.daemon.subj:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=dir permissive=1
May 03 10:34:06 brutus systemd[1]: Stopping USBGuard daemon...
```
If you fix the ownership and permissions of the "/dev/shm/qb-1208-1703-24-pUgZpU" directory, then usbguard-daemon does not need access to CAP_DAC_OVERRIDE. Needless to say that this would be a big security improvement.
is considered unsafe. The safer method is to just upgrade libqb to 1.0.6
thank you very much in advance
steanne
December 8, 2020, 8:45am
#2
that’s one manjaro inherits from arch so normally it would be coming from them soon, but in this case, it’s been flagged out of date since may , so manjaro might want to act on it themselves, especially since 1.0.6 isn’t the latest either, 2.0.2 is .
1 Like
whatthe
December 8, 2020, 8:34pm
#3
I NEED TO SPEAK TO A MANAGER AND I WANT MY MONEY BACK!
