During system startup, there are AVC denials attemtping to access /dev/null from both /etc/init.d/udev-mount and /etc/init.d/udev. This is due to the SELinux context of this device not being properly set by the udev-mount init script. Reproducible: Always Steps to Reproduce: 1.Reboot system with SELinux in strict policy enforcing mode 2. Observe errors accessing /dev/null by udev-mount and udev 3. Actual Results: On console, you will see errors similar to the following: *mounting /dev ... [ok] /etc/init.d/udev-mount: line 63: /dev/null: Permission denied /etc/init.d/udev: line 69: /dev/null: Permission denied *starting udevd ... [ok] There will also be entries in /var/log/avc.log similar to the following: Dec 17 19:47:10 aoaforums kernel: type=1400 audit(1261079213.444:6): avc: denied { write } for pid=461 comm="bash" name="null" dev=tmpfs ino=1449 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file Expected Results: No AVC denials recorded in /var/log/avc.log and no errors shown on console. This problem also affects the 20091215 policy. I suspect that it also affects targeted policy, though I've not tested that. It appears to be the result of not relabeling certain devices that are created in the init script before they are actually used. I've attached a diff with the changes I made to /etc/init.d/udev-mount (at PeBenito's direction) to resolve this. I've also attached my emerge --info
Created attachment 213319 [details] emerge --info
Created attachment 213321 [details, diff] Modifications to /etc/init.d/udev-mount
I want to clarify that this is not a SELinux policy problem. Since the device nodes are created inside the udev-mount script instead of by udevd, the devices do not have correct SELinux labels until udevd starts and fills out /dev completely, which is a race condition. In fact we currently always lose the race, since the script creates /dev/null, and then later in the script it does a redirection to /dev/null (which is before udevd starts).
Added this change to udev-151.
