Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426954 - sys-fs/udev-186 doesn't start in enforcing (~amd64/selinux)
Summary: sys-fs/udev-186 doesn't start in enforcing (~amd64/selinux)
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r15
Depends on:
Reported: 2012-07-17 09:06 UTC by Amadeusz Sławiński
Modified: 2012-10-04 18:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-07-17 09:06:18 UTC
Seems like they changed location of udev binary due to merging udev with systemd

 * Starting udev ...
Failed to initialize SELinux context: Permission denied
error getting socket: Permission denied
error initializing netlink socket
error initializing netlink socket
 * start-stop-daemon: failed to start `/usr/lib/systemd/systemd-udevd’
 * Failed to start udev
 * ERROR: udev failed to start

ls -lZ /usr/lib/systemd/systemd-udevd
-rwxr-xr-x. 1 root root system_u:object_r:lib_t 202896 Jul 15 15:46 /usr/lib/systemd/systemd-udevd

In enforcing:
Jul 17 10:29:11 lain kernel: [   14.334421] type=1400 audit(1342513745.096:3): avc:  denied  { create } for  pid=1342 comm="systemd-udevd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_kobject_uevent_socket

In permissive:
Jul 17 10:44:44 lain kernel: [   16.281545] type=1400 audit(1342514679.603:115): avc:  denied  { read } for  pid=1347 comm="systemd-udevd" name="13" dev="tmpfs" ino=3297 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:udev_var_run_t tclass=lnk_file
Jul 17 10:45:04 lain kernel: [   40.765779] type=1400 audit(1342514704.136:134): avc:  denied  { read } for  pid=2145 comm="X" name="c13:67" dev="tmpfs" ino=2326 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Jul 17 10:45:04 lain kernel: [   40.765804] type=1400 audit(1342514704.136:135): avc:  denied  { open } for  pid=2145 comm="X" name="c13:67" dev="tmpfs" ino=2326 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:udev_var_run_t tclass=file
Jul 17 10:45:04 lain kernel: [   40.765832] type=1400 audit(1342514704.136:136): avc:  denied  { getattr } for  pid=2145 comm="X" path="/run/udev/data/c13:67" dev="tmpfs" ino=2326 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:udev_var_run_t tclass=file

Reproducible: Always

Portage (hardened/linux/amd64/selinux, gcc-4.6.3, glibc-2.15-r2, 3.4.4-hardened-r2 x86_64)
System uname: Linux-3.4.4-hardened-r2-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.1
Timestamp of tree: Sat, 14 Jul 2012 10:30:01 +0000
app-shells/bash:          4.2_p36
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/cmake:           2.8.8-r3
dev-util/pkgconfig:       0.27
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.10.5
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.11.6, 1.12.2
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.3-r2, 4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r1 (virtual/os-headers)
sys-libs/glibc:           2.15-r2
Repositories: gentoo hardened-dev my_local_overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 PUEL"
CFLAGS="-march=native -O2 -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/var/lib/layman/hardened-development /usr/local/portage"
USE="X acpi alsa amd64 apache2 bash-completion berkdb bluetooth bzip2 cli cracklib crypt cxx dbus dri gdbm gif gpm hardened iconv ipv6 jpeg justify mmx modules mp3 mudflap multilib mysql mysqli ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 tcpd tiff udev unicode urandom vim-syntax xinerama xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-17 12:26:20 UTC
If you change the label for this binary (I think it needs to become udev_exec_t but you can verify this using "semanage fcontext -l | grep udevd"), does that resolve it again?

And also: seriously? Ffs...
Comment 2 Amadeusz Sławiński 2012-07-17 13:27:34 UTC
With udev_exec_t it seems to boot ok
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-17 15:42:22 UTC
Thanks, will be fixed in rev15
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-21 20:15:47 UTC
Is in hardened-dev overlay. You will need to relabel udev though
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-28 09:28:12 UTC
In main tree, ~arched
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-04 18:34:51 UTC