Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 451128

Summary: udev-197 fails to load on a SELinux enabled system
Product: Gentoo Linux Reporter: Hinnerk van Bruinehsen <h.v.bruinehsen>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Severity: normal CC: selinux, udev-bugs
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 411627    
Attachments: Output of "grep udev <avc-related logs>

Description Hinnerk van Bruinehsen 2013-01-10 08:27:11 UTC
After updating udev to udev-197 my system refuses to boot successfully in enforcing mode. The udev service fails according to the console output (the error implies that it fails to create a netlink socket).
Because of the failure of udev several other services refuse to start (including syslog-ng - that causes the fact that I can't provide any logs about the failure in enforcing mode).

Booting in permissive mode works and I'll attach a file with the denials that seem to cause the error. 

Additional fact: dmcrypt fails to start even in permissive mode with udev-197 - I'm not sure if that is caused by SELinux though.

Reproducible: Always

Steps to Reproduce:
1. Install udev-197
2. Reboot in enforcing mode
3. Look at console errors ;)
Actual Results:  
System doesn't get to a login-prompt - neither console nor xdm. Several udev-dependent services fail...

Expected Results:  
System boots to login prompt.

I'm using the live policy (-9999 ebuilds)
Comment 1 Hinnerk van Bruinehsen 2013-01-10 08:30:10 UTC
Created attachment 335028 [details]
Output of "grep udev <avc-related logs>
Comment 2 Alexander Tsoy 2013-01-11 08:40:40 UTC
(In reply to comment #0)
> Additional fact: dmcrypt fails to start even in permissive mode with
> udev-197 - I'm not sure if that is caused by SELinux though.

Please try solution provided in bug 451266
Comment 3 Amadeusz Sławiński 2013-01-11 18:45:55 UTC
Seems like some file were moved again...

# ls -lZ /lib/systemd/systemd-udevd  
-rwxr-xr-x. 1 root root staff_u:object_r:bin_t 203096 Jan 10 23:51 /lib/systemd/systemd-udevd

in policy there is /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)

# chcon -t udev_exec_t /lib/systemd/systemd-udevd 
it boots fine
Comment 4 Hinnerk van Bruinehsen 2013-01-13 01:04:04 UTC
You're right, Amade - that fixes it for me too. So it should suffice to adjust the file contexts in the policy.
Comment 5 Samuli Suominen gentoo-dev 2013-01-16 14:49:58 UTC

What do you want to do with this? Do you want me to temporarily mask 197 in the selinux profile? Do you have an diff for 197-r2, -r3 and 9999 we can apply to keep things working?

Need to know pretty fast. Thanks!
Comment 6 Samuli Suominen gentoo-dev 2013-01-16 15:10:18 UTC
Can we just add `use selinux && chcon -t udev_exec_t "${D}"/lib/systemd/systemd-udevd` to src_install?
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-01-16 15:30:06 UTC
it's in hardened-refpolicy, working with swift for stabilization of this specific fix.;a=commit;h=9b69c1fc94686ed3cc28e4bb1d1b7a0aa9045025
Comment 8 Hinnerk van Bruinehsen 2013-01-16 15:40:24 UTC
I can confirm that it's fixed in hardened-refpolicy now.
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-16 19:46:58 UTC
@Samuli: you can't do that in "${D}"/... as the file labels are applied after merging the files from the image/ onto the real file system (so it's more a postinst part).
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-16 20:07:44 UTC
Ok fix is in portage tree, ~arch for now (need to do a quick merge check). Only contains this one fix (well and a small typo elsewhere) so I can stabilize more quickly
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-16 20:58:43 UTC
Fix is now stabilized (selinux-base and selinux-base-policy packages are bumped to rev10 and stable in tree), successfully applied and booted (in enforcing mode) a stable system