529340 – Some minor tuning such that genkernel works under selinux

Bug 529340 - Some minor tuning such that genkernel works under selinux

Summary: Some minor tuning such that genkernel works under selinux

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Jason Zaman

URL:
Whiteboard:	sec-policy r1
Keywords:

Depends on:
Blocks:

Reported:	2014-11-15 14:59 UTC by Eric Gisse
Modified:	2014-12-21 14:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eric Gisse 2014-11-15 14:59:50 UTC

I use sys-apps/genkernel-next (this applies to regular genkernel as well) to build my initrd's so I can have handy things like luks / lvm / whatever in them.

As a part of that build process, device nodes have to be managed in order to build the initrd. Which SELinux doesn't like:

Nov 15 08:26:39 testbed kernel: [  970.214459] audit: type=1400 audit(1416061599.124:72): avc:  denied  { create } for  pid=11696 comm="mknod" name="console" ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmp_t tclass=chr_file permissive=1
Nov 15 08:26:39 testbed kernel: [  970.214521] audit: type=1400 audit(1416061599.124:73): avc:  denied  { setattr } for  pid=11696 comm="mknod" name="console" dev="dm-4" ino=544891 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmp_t tclass=chr_file permissive=1
Nov 15 08:26:39 testbed kernel: [  970.238119] audit: type=1400 audit(1416061599.147:74): avc:  denied  { unlink } for  pid=11707 comm="rm" name="tty1" dev="dm-4" ino=544895 ipaddr=173.173.113.156 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmp_t tclass=chr_file permissive=1

This is pretty easy to fix for sysadm_r:

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 54c3026..333476f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)

 init_exec(sysadm_t)
+allow sysadm_t user_tmp_t:chr_file manage_chr_file_perms;

 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)

This will mean that genkernel (still) won't work on a normal root login of staff_t, but I think that's OK. If you need to be tinkering with device nodes, you are going to be in sysadm_r anyway. Plus you need to be able to manage the contents of /boot.

Patch:

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 54c3026..333476f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -34,6 +34,7 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)

 init_exec(sysadm_t)
+allow sysadm_t user_tmp_t:chr_file manage_chr_file_perms;

 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)





Reproducible: Always

Comment 1 Eric Gisse 2014-11-15 15:01:06 UTC

Oops, disregard doublepatch.

Bug entry window is small :p

Comment 2 Jason Zaman gentoo-dev

2014-11-27 14:55:33 UTC

This has been fixed in the master branch in the repo

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2014-11-27 16:14:20 UTC

Will be part of r8 release

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2014-12-21 14:12:54 UTC

r1 is now stable