Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 595820

Summary: sec-policy/selinux-base does not label udisksd correctly
Product: Gentoo Linux Reporter: Gabriele Svelto <gabriele.svelto>
Component: Current packagesAssignee: SE Linux Bugs <selinux>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r2
Package list:
Runtime testing required: ---
Attachments: [PATCH] Properly label the udisksd executable
[PATCH] Properly label the udisksd executable
[PATCH] Properly label the udisksd executable

Description Gabriele Svelto 2016-10-01 20:12:50 UTC
I've recently had issues mounting drives with selinux enabled. The audit log would show a significant amount of AVC denials related to udisksd. Converting them with audit2allow didn't yield any useful result since a few of them where neverallow rules in the base policy. After digging further I've noticed that /etc/selinux/targeted/contexts/files/file_contexts contained the following entries:

/lib/udisks2/udisksd	--	system_u:object_r:devicekit_disk_exec_t
/usr/lib/udisks2/udisksd	--	system_u:object_r:devicekit_disk_exec_t

Neither of which points to udisksd which is located at /usr/libexec/udisks2/udisksd

I've tried adding this line to file_contexts.local and the problem disappears entirely, allowing me to mount drives without any AVC denial:

/usr/libexec/udisks2/udisksd    --      system_u:object_r:devicekit_disk_exec_t

It's probably just a matter of fixing it in the package so that the entry in file_contexts is correct.

Reproducible: Always

Steps to Reproduce:
I've got a Xfce desktop installation using the desktop and selinux profiles together. Default configuration was used for all the components involved (thunar, udisksd, etc...).
Actual Results:  
Trying to mount a USB key or another local volume from the desktop would fail due to AVC denials related to udisksd.
Comment 1 Gabriele Svelto 2016-10-10 11:04:50 UTC
Created attachment 449738 [details, diff]
[PATCH] Properly label the udisksd executable

This is a patch done against hardened-refpolicy's master branch which properly labels the udisksd executable thus solving the issue.
Comment 2 Gabriele Svelto 2016-10-10 11:05:43 UTC
Created attachment 449740 [details, diff]
[PATCH] Properly label the udisksd executable

Wrong patch, this is the right one, sorry for the noise.
Comment 3 Gabriele Svelto 2016-10-10 11:09:53 UTC
Created attachment 449742 [details, diff]
[PATCH] Properly label the udisksd executable

Ugh, I should have drunk more coffee this morning. This is the right one, sorry again for the noise.
Comment 4 Gabriele Svelto 2016-10-10 11:19:46 UTC
CC'ing one of the maintainers,
Comment 5 Gabriele Svelto 2017-01-12 10:29:51 UTC
This is already fixed in the last stable version of selinux-base (2.20161023-r3) so I think the bug can be closed.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2017-01-13 17:11:24 UTC
Yup indeed, forgotten to resolve the bug after stabilization of r2.