Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 416323

Summary: devtmpfs support and SELinux issues
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r10
Package list:
Runtime testing required: ---

Description Sven Vermeulen (RETIRED) gentoo-dev 2012-05-16 20:26:08 UTC 
An issue came up when dealing with kdevtmpfs.

It seems that kdevtmpfs, which runs in kernel_t mode (of course), requires the following privilege:
allow kernel_t device_t:chr_file setattr;

It executes this privilege on the device files in its /dev structure and without it, we get failures (udev fails to start, quite a few "matchpathcon failed" errors, etc.)

Since kernel_t already has the rights to create and delete device_t chr_files' and it seems to need setattr here as well, I'll just add it in.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-16 20:29:17 UTC 
Privilege will be in -r10
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-16 20:33:39 UTC 
fyi: failures seen when privilege not allowed:

May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/fd) failed
May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/stdin) failed
May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/stdout) failed
May 16 21:57:03 testsys udevd[1448]: matchpathcon(/dev/stderr) failed
May 16 21:57:03 testsys udevd[1448]: error getting socket: Permission denied
May 16 21:57:03 testsys udevd[1448]: error initializing netlink socket
May 16 21:57:03 testsys /etc/init.d/udev[1447]: start-stop-daemon: failed to start `/lib/udev/udevd'
May 16 21:57:03 testsys /etc/init.d/udev[1426]: ERROR: udev failed to start

When allowed, these failures are gone. Can't really find out why the failures occur (what attribute does kdevtmpfs want to set that is so important here - context?) but the fix is clear.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-26 16:02:00 UTC 
Policy update is in hardened-dev overlay (r10)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-06-27 21:57:40 UTC 
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:39:25 UTC 
Stabilized