Summary: | udev-197 fails to load on a SELinux enabled system | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Hinnerk van Bruinehsen <h.v.bruinehsen> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux, udev-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 411627 | ||
Attachments: | Output of "grep udev <avc-related logs> |
Description
Hinnerk van Bruinehsen
2013-01-10 08:27:11 UTC
Created attachment 335028 [details]
Output of "grep udev <avc-related logs>
(In reply to comment #0) > Additional fact: dmcrypt fails to start even in permissive mode with > udev-197 - I'm not sure if that is caused by SELinux though. Please try solution provided in bug 451266 Seems like some file were moved again... # ls -lZ /lib/systemd/systemd-udevd -rwxr-xr-x. 1 root root staff_u:object_r:bin_t 203096 Jan 10 23:51 /lib/systemd/systemd-udevd in policy there is /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) after # chcon -t udev_exec_t /lib/systemd/systemd-udevd it boots fine You're right, Amade - that fixes it for me too. So it should suffice to adjust the file contexts in the policy. selinux@ What do you want to do with this? Do you want me to temporarily mask 197 in the selinux profile? Do you have an diff for 197-r2, -r3 and 9999 we can apply to keep things working? Need to know pretty fast. Thanks! Can we just add `use selinux && chcon -t udev_exec_t "${D}"/lib/systemd/systemd-udevd` to src_install? it's in hardened-refpolicy, working with swift for stabilization of this specific fix. http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b69c1fc94686ed3cc28e4bb1d1b7a0aa9045025 I can confirm that it's fixed in hardened-refpolicy now. @Samuli: you can't do that in "${D}"/... as the file labels are applied after merging the files from the image/ onto the real file system (so it's more a postinst part). Ok fix is in portage tree, ~arch for now (need to do a quick merge check). Only contains this one fix (well and a small typo elsewhere) so I can stabilize more quickly Fix is now stabilized (selinux-base and selinux-base-policy packages are bumped to rev10 and stable in tree), successfully applied and booted (in enforcing mode) a stable system |