An issue came up when dealing with kdevtmpfs. It seems that kdevtmpfs, which runs in kernel_t mode (of course), requires the following privilege: allow kernel_t device_t:chr_file setattr; It executes this privilege on the device files in its /dev structure and without it, we get failures (udev fails to start, quite a few "matchpathcon failed" errors, etc.) Since kernel_t already has the rights to create and delete device_t chr_files' and it seems to need setattr here as well, I'll just add it in. Reproducible: Always
Privilege will be in -r10
fyi: failures seen when privilege not allowed: May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/fd) failed May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/stdin) failed May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/stdout) failed May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/stderr) failed May 16 21:57:03 testsys udevd[1448]: error getting socket: Permission denied May 16 21:57:03 testsys udevd[1448]: error initializing netlink socket May 16 21:57:03 testsys /etc/init.d/udev[1447]: start-stop-daemon: failed to start `/lib/udev/udevd' May 16 21:57:03 testsys /etc/init.d/udev[1426]: ERROR: udev failed to start When allowed, these failures are gone. Can't really find out why the failures occur (what attribute does kdevtmpfs want to set that is so important here - context?) but the fix is clear.
Policy update is in hardened-dev overlay (r10)
In main tree, ~arch'ed
Stabilized
