as talked on irc starting from >=sys-fs/udev-180 (I tested with sys-fs/udev-182-r3) has migrated from /var/run to /run /run/udev/ needs to be labeled with system_u:object_r:udev_tbl_t temporary fix is adding "restorecon /run/udev" after "checkpath -d -m 0755 -o root:root -q /run/udev" in /etc/init.d/udev proper one from what I understood is doing a TODO item in openrc /sbin/udevadm is now symbolic link to /usr/bin/udevadm so it also needs proper labels however with those changes made it still has problems (from grep udev /var/log/avc.log): in enforcing: Apr 17 22:31:56 lain kernel: [ 13.678069] type=1400 audit(1334701908.387:5): avc: denied { write } for pid=1381 comm="mkdir" name="udev" dev="tmpfs" ino=2490 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Apr 17 22:31:56 lain kernel: [ 13.774747] type=1400 audit(1334701908.483:6): avc: denied { read } for pid=1392 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 13.774837] type=1400 audit(1334701908.483:7): avc: denied { read } for pid=1392 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 13.775164] type=1400 audit(1334701908.487:8): avc: denied { read } for pid=1392 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 13.775200] type=1400 audit(1334701908.487:9): avc: denied { read } for pid=1392 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 13.793049] type=1400 audit(1334701908.503:10): avc: denied { read } for pid=1392 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 13.793087] type=1400 audit(1334701908.503:11): avc: denied { read } for pid=1392 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.230864] type=1400 audit(1334694716.273:43): avc: denied { write } for pid=1819 comm="mkdir" name="udev" dev="tmpfs" ino=2490 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Apr 17 22:31:56 lain kernel: [ 20.302094] type=1400 audit(1334694716.346:44): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.302135] type=1400 audit(1334694716.346:45): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.302360] type=1400 audit(1334694716.346:46): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.302395] type=1400 audit(1334694716.346:47): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.302793] type=1400 audit(1334694716.346:48): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.302830] type=1400 audit(1334694716.346:49): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.302954] type=1400 audit(1334694716.346:50): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts.subs_dist" dev="dm-0" ino=8147319 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 17 22:31:56 lain kernel: [ 20.303003] type=1400 audit(1334694716.346:51): avc: denied { read } for pid=1830 comm="udevd" name="file_contexts" dev="dm-0" ino=20841264 scontext=system_u:system_r:initrc_t tcontext=staff_u:object_r:file_context_t tclass=file in permissive: Apr 17 22:36:10 lain kernel: [ 19.056480] type=1400 audit(1334694968.386:131): avc: denied { setattr } for pid=1580 comm="udevd" name="vcs2" dev="devtmpfs" ino=508 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file Apr 17 22:36:10 lain kernel: [ 19.058233] type=1400 audit(1334694968.390:132): avc: denied { check_context } for pid=1580 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=security Apr 17 22:36:10 lain kernel: [ 19.058272] type=1400 audit(1334694968.390:133): avc: denied { relabelfrom } for pid=1580 comm="udevd" name="vcs2" dev="devtmpfs" ino=508 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:device_t tclass=chr_file Apr 17 22:36:10 lain kernel: [ 21.307073] type=1400 audit(1334694970.643:135): avc: denied { read } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:36:10 lain kernel: [ 21.307162] type=1400 audit(1334694970.643:136): avc: denied { write } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.684999] type=1400 audit(1334695025.129:173): avc: denied { read } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.687880] type=1400 audit(1334695025.129:174): avc: denied { create } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.687917] type=1400 audit(1334695025.129:175): avc: denied { bind } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.687982] type=1400 audit(1334695025.129:176): avc: denied { getattr } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.688011] type=1400 audit(1334695025.133:177): avc: denied { setopt } for pid=1397 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.688899] type=1400 audit(1334695025.133:178): avc: denied { write } for pid=2601 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket Apr 17 22:37:05 lain kernel: [ 75.689014] type=1400 audit(1334695025.133:179): avc: denied { sendto } for pid=2601 comm="udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket Apr 17 22:37:05 lain kernel: [ 75.689125] type=1400 audit(1334695025.133:180): avc: denied { write } for pid=1397 comm="udevd" name="udev" dev="tmpfs" ino=2182 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Apr 17 22:37:05 lain kernel: [ 75.689147] type=1400 audit(1334695025.133:181): avc: denied { add_name } for pid=1397 comm="udevd" name="queue.tmp" scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_tbl_t tclass=dir Apr 17 22:42:34 lain kernel: [ 403.935259] type=1400 audit(1334695354.030:232): avc: denied { read } for pid=3112 comm="bash" name="udevadm" dev="dm-0" ino=25952259 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:udev_exec_t tclass=lnk_file Reproducible: Always
Looks like, if we need to patch openrc, it'll be in src/src/checkpath.c. Something similar to #ifdef SELINUX if(matchpathcon(path, 0700, &context) == 0) { setfscreatecon(context) freecon(context) } #endif ... create file or directory ... #ifdef SELINUX setfscreatecon(NULL) #endif
Looks like the following steps are needed: ---[ In /etc/fstab: ] tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t ---[ As additional policy ] allow kernel_t device_t:chr_file setattr; With these two in place, I am able to boot up a ~arch system in enforcing mode immediately. A few denials are still visible, but do not influence the system behavior.
The fstab line has been added to the installation instructions. The SELinux policy update is in hardened-dev overlay
In main tree, ~arch'ed
Stabilized