Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412421 - >=sys-fs/udev-180 on selinux
Summary: >=sys-fs/udev-180 on selinux
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard: sec-policy r10
Keywords:
Depends on: 413719
Blocks:
  Show dependency tree
 
Reported: 2012-04-17 21:11 UTC by Amadeusz Sławiński
Modified: 2012-07-30 16:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-04-17 21:11:56 UTC 
as talked on irc

starting from >=sys-fs/udev-180 (I tested with sys-fs/udev-182-r3) has migrated from /var/run to /run

/run/udev/ needs to be labeled with system_u:object_r:udev_tbl_t
temporary fix is adding "restorecon /run/udev" after "checkpath -d -m 0755 -o root:root -q /run/udev" in /etc/init.d/udev
proper one from what I understood is doing a TODO item in openrc

/sbin/udevadm is now symbolic link to /usr/bin/udevadm so it also needs proper labels

however with those changes made it still has problems (from grep udev /var/log/avc.log):

in enforcing:
Apr 17 22:31:56 lain kernel: [   13.678069] type=1400 audit(1334701908.387:5): avc:  denied  { write } for  pid=1381 comm="mkdir" name="udev" dev="tmpfs" ino=2490 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
Apr 17 22:31:56 lain kernel: [   13.774747] type=1400 audit(1334701908.483:6): avc:  denied  { read } for  pid=1392 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   13.774837] type=1400 audit(1334701908.483:7): avc:  denied  { read } for  pid=1392 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   13.775164] type=1400 audit(1334701908.487:8): avc:  denied  { read } for  pid=1392 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   13.775200] type=1400 audit(1334701908.487:9): avc:  denied  { read } for  pid=1392 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   13.793049] type=1400 audit(1334701908.503:10): avc:  denied  { read } for  pid=1392 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   13.793087] type=1400 audit(1334701908.503:11): avc:  denied  { read } for  pid=1392 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.230864] type=1400 audit(1334694716.273:43): avc:  denied  { write } for  pid=1819 comm="mkdir" name="udev" dev="tmpfs" ino=2490 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
Apr 17 22:31:56 lain kernel: [   20.302094] type=1400 audit(1334694716.346:44): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.302135] type=1400 audit(1334694716.346:45): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.302360] type=1400 audit(1334694716.346:46): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.302395] type=1400 audit(1334694716.346:47): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.302793] type=1400 audit(1334694716.346:48): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.302830] type=1400 audit(1334694716.346:49): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.302954] type=1400 audit(1334694716.346:50): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr 17 22:31:56 lain kernel: [   20.303003] type=1400 audit(1334694716.346:51): avc:  denied  { read } for  pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file

in permissive:
Apr 17 22:36:10 lain kernel: [   19.056480] type=1400 audit(1334694968.386:131): avc:  denied  { setattr } for  pid=1580 comm="udevd" name="vcs2" dev="devtmpfs" ino=508 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file
Apr 17 22:36:10 lain kernel: [   19.058233] type=1400 audit(1334694968.390:132): avc:  denied  { check_context } for  pid=1580 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security
Apr 17 22:36:10 lain kernel: [   19.058272] type=1400 audit(1334694968.390:133): avc:  denied  { relabelfrom } for  pid=1580 comm="udevd" name="vcs2" dev="devtmpfs" ino=508 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file
Apr 17 22:36:10 lain kernel: [   21.307073] type=1400 audit(1334694970.643:135): avc:  denied  { read } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:36:10 lain kernel: [   21.307162] type=1400 audit(1334694970.643:136): avc:  denied  { write } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.684999] type=1400 audit(1334695025.129:173): avc:  denied  { read } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.687880] type=1400 audit(1334695025.129:174): avc:  denied  { create } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.687917] type=1400 audit(1334695025.129:175): avc:  denied  { bind } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.687982] type=1400 audit(1334695025.129:176): avc:  denied  { getattr } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.688011] type=1400 audit(1334695025.133:177): avc:  denied  { setopt } for  pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.688899] type=1400 audit(1334695025.133:178): avc:  denied  { write } for  pid=2601 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket
Apr 17 22:37:05 lain kernel: [   75.689014] type=1400 audit(1334695025.133:179): avc:  denied  { sendto } for  pid=2601 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket
Apr 17 22:37:05 lain kernel: [   75.689125] type=1400 audit(1334695025.133:180): avc:  denied  { write } for  pid=1397 comm="udevd" name="udev" dev="tmpfs" ino=2182 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
Apr 17 22:37:05 lain kernel: [   75.689147] type=1400 audit(1334695025.133:181): avc:  denied  { add_name } for  pid=1397 comm="udevd" name="queue.tmp" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
Apr 17 22:42:34 lain kernel: [  403.935259] type=1400 audit(1334695354.030:232): avc:  denied  { read } for  pid=3112 comm="bash" name="udevadm" dev="dm-0" ino=25952259 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:udev_exec_t tclass=lnk_file


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-18 19:57:40 UTC 
Looks like, if we need to patch openrc, it'll be in src/src/checkpath.c. Something similar to

#ifdef SELINUX
  if(matchpathcon(path, 0700, &context) == 0) {
    setfscreatecon(context)
    freecon(context)
  }
#endif
  ... create file or directory ...
#ifdef SELINUX
  setfscreatecon(NULL)
#endif
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-20 18:53:08 UTC 
Looks like the following steps are needed:

---[ In /etc/fstab: ]
tmpfs  /run  tmpfs   mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t

---[ As additional policy ]
allow kernel_t device_t:chr_file setattr;


With these two in place, I am able to boot up a ~arch system in enforcing mode immediately. A few denials are still visible, but do not influence the system behavior.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-26 16:01:18 UTC 
The fstab line has been added to the installation instructions.

The SELinux policy update is in hardened-dev overlay
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-06-27 21:59:32 UTC 
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:38:05 UTC 
Stabilized