69313 – Problem with SELinux context labeling on /dev

Bug 69313 - Problem with SELinux context labeling on /dev

Summary: Problem with SELinux context labeling on /dev

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High blocker (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-10-28 12:37 UTC by Bogdan Agica
Modified:	2004-10-29 09:52 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bogdan Agica 2004-10-28 12:37:29 UTC

When I make relabel, I get no errors but /dev is still unlabeled. I tried using udev in x86 and ~x86, now I switched back to devfs, still the same problem.
# getfilecon /dev/
getfilecon:  getfilecon(/dev/) failed

Reproducible: Always
Steps to Reproduce:
1.make relabel
2.or: restorecon /dev/*
3.
Actual Results:  
nothing is labeled, ls -Z segfaults and getfilecon says "Operation not permitted"

Expected Results:  
The devices being labeled appropriately

Portage 2.0.51-r2 (selinux/2004.1/x86, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-gentoo-r1 i686)
=================================================================
System uname: 2.6.9-gentoo-r1 i686 Intel(R) Celeron(R) CPU 2.60GHz
Gentoo Base System version 1.6.4
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.14.90.0.8-r1
Headers:  sys-kernel/linux26-headers-2.6.8.1
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer -funroll-loops"
CHOST="i386-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mcpu=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.lug.ro/gentoo/ ftp:///ftp-stud.fht-esslingen.de/pub/M
irrors/gentoo/ ftp://ftp6.uni-erlangen.de/pub/mirrors/gentoo ftp://vlaai.snt.ipv6.utwente.nl/pub/os/linux/gentoo/ http://vlaai.snt.ipv6.utwente.nl/pub/os/linux/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3ds X aalib accounting acl acpi adns aliaschain alsa apache2 atm audiofile
authdaemond avi ba-completion bdf berkdb bitmap-fonts bmp bonobo bootspla bzlib
c cap caps cdb cddb cdrom chroot clamav cnamefix cross crypt cscope ctype cups curl curlwrappers dga dhcp directfb divx4linux djbfft doc dv edl eds erandom ethereal evo exif exiscan-acl extensions fam fastcgi fbcon fs ftp fwdzone gd gdbm gif gimpprint gmp gnome gnomedb gnuplot gpm gtk gtk2 gtkhtml hardenedphp icc icc-pgo ifc imagemagick imap imlib imlib2 innkeywords innodb ipalias ipv6 ipv6arpa java javacomm jikes jpeg jpeg2k justify kerberos latex lesstif libcaca libwww live lzo lzw maildir maildrop md5sum mmx mmx2 mozilla moznocompose moznoirc moznomail moznoxft mozp3p mozxmlterm mp3 mpeg mpeg4 mpi mplayer mysql mysqli nagios-dns
nagios-ntp nagios-ping nagios-s nas ncurses neural nls nntp no-old-linux nocd nptl ntlm oav oggvorbis openal opengl pam pcntl pcre pda pdf pdfkit pdflib perl perlsuid pic png portaudio posix print procmail pthreads python qmail qt quicktime readline recode samba sapdb sasl selinux session sftplogging silc simplexml smime spamassassin speedo spell sse sse2 ssl stats svg svga tcpd tetex tga type1 uml unicode usagi usb v4l v4l2 vda vdesktop vhosts x86 xchattext xfs xml xml2 xmlrpc xmms xosd xsl xvid yahoo zlib"

Comment 1 Bogdan Agica 2004-10-29 05:17:57 UTC

I think I found a lead. In the file /etc/security/selinux/src/policy/file_contexts/file_contexts all the entries referring to /dev/ start with '/u?dev', such as:
#
# /dev
#
/u?dev(/.*)?                    system_u:object_r:device_t
/u?dev/pts(/.*)?                <<none>>
/u?dev/cpu/.*           -c      system_u:object_r:cpu_device_t
/u?dev/microcode        -c      system_u:object_r:cpu_device_t
/u?dev/MAKEDEV          --      system_u:object_r:sbin_t
/u?dev/null             -c      system_u:object_r:null_device_t
Is this normal? Is it because I had udev installed before? (i know this could be such a silly question, but I'm quite lost here.

Comment 2 petre rodan (RETIRED) gentoo-dev

2004-10-29 06:52:07 UTC

I'm sorry to say, but neither devfs, udev nor reiserfs is supported on gentoo selinux.

Comment 3 Bogdan Agica 2004-10-29 07:35:18 UTC

I got rid of reiserfs :) Recompiling without devfs and checking back again. But in bug #23501, pebenito states that "Since they
mostly have to do with /dev, I'll guess that devfs is not mounted at boot by th
e kernel."
Now I'm getting really lost... as I found out that neither /proc nor /selinux nor /sys are labeled. Should I post my kernel .config ?

Comment 4 petre rodan (RETIRED) gentoo-dev

2004-10-29 09:52:59 UTC

if you look closely to
http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-handbook.xml?part=1&chap=7
you'll notice that devfs has to be disabled.

closing with INVALID