Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
Many AVCs, and there is a problem with runlevel 5 (graphical login, etc.) preventing login, (but text login works).
Here are the first, early AVCs: (I'll dig for more later.)
Aug 28 10:23:40 fedora kernel: usbcore: registered new driver usblp Aug 28 10:23:40 fedora kernel: drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver Aug 28 10:23:40 fedora acpid: acpid startup succeeded Aug 28 10:23:40 fedora kernel: ACPI: Power Button (FF) [PWRF] Aug 28 10:23:40 fedora kernel: ACPI: Sleep Button (CM) [FUTS] Aug 28 10:23:40 fedora kernel: EXT3 FS on hda2, internal journal Aug 28 10:23:41 fedora kernel: audit(1093713783.757:0): avc: denied { search } for pid=1264 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:default_context_t tclass=dir Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied { execute_no_trans } for pid=1271 exe=/sbin/udev path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t tclass=file Aug 28 10:23:41 fedora kernel: audit(1093713783.790:0): avc: denied { write } for pid=1264 exe=/sbin/udev name=fscreate dev=proc ino=82837526 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=file
There repeat many times. When run in permissive mode, this sequence becomes:
Aug 28 10:32:25 fedora kernel: EXT3 FS on hda2, internal journal Aug 28 10:32:25 fedora kernel: audit(1093714297.852:0): avc: denied { search } for pid=1283 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:default_context_t tclass=dir Aug 28 10:32:25 fedora kernel: audit(1093714297.859:0): avc: denied { search } for pid=1283 exe=/sbin/udev name=files dev=hda2 ino=4509746 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=dir Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied { read } for pid=1283 exe=/sbin/udev name=file_contexts dev=hda2 ino=4505700 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=file Aug 28 10:32:25 fedora kernel: audit(1093714297.872:0): avc: denied { getattr } for pid=1283 exe=/sbin/udev path=/etc/selinux/strict/contexts/files/file_contexts dev=hda2 ino=4505700 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=file Aug 28 10:32:25 fedora kernel: audit(1093714298.077:0): avc: denied { execute_no_trans } for pid=1285 exe=/sbin/udev path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t tclass=file Aug 28 10:32:25 fedora kernel: audit(1093714298.109:0): avc: denied { search } for pid=1285 exe=/bin/bash name=console dev=hda2 ino=4456494 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:pam_var_console_t tclass=dir Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied { write } for pid=1283 exe=/sbin/udev name=fscreate dev=proc ino=84082710 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=file Aug 28 10:32:25 fedora kernel: audit(1093714298.113:0): avc: denied { setfscreate } for pid=1283 exe=/sbin/udev scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=process Aug 28 10:32:25 fedora kernel: audit(1093714317.126:0): avc: denied { search } for pid=1671 exe=/sbin/udev name=files dev=hda2 ino=4509746 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:file_context_t tclass=dir
Audit2allow on this says: allow : { write }; allow udev_t default_context_t:dir { search }; allow udev_t etc_t:file { execute_no_trans }; allow udev_t file_context_t:dir { search }; allow udev_t file_context_t:file { read }; allow udev_t pam_var_console_t:dir { search }; allow udev_t udev_t:process { setfscreate };
The funny 'allow : { write };' is for the write of 'fscreate' in /proc.
After obtaining the graphical login screen, here is the offending AVC:
Aug 28 10:24:42 fedora gdm(pam_unix)[3888]: session opened for user tbl by (uid=0) Aug 28 10:24:43 fedora kernel: audit(1093713883.626:0): avc: denied { create } for pid=4042 exe=/usr/bin/dbus-daemon-1 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_selinux_socket
An error window pops up reporting an SELinux/AVC type failure. It then returns to the login screen.
Just prior to that, there are many 'denied's from udev and hald. Here are a few:
Aug 28 10:24:21 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t tclass=dbus Aug 28 10:24:21 fedora kernel: audit(1093713853.755:0): avc: denied { execute } for pid=3466 exe=/usr/sbin/hald name=hal-hotplug-map dev=hda2 ino=606213 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:bin_t tclass=file Aug 28 10:24:21 fedora udev[3953]: creating device node '/dev/vcs7' Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t tclass=dbus Aug 28 10:24:22 fedora kernel: audit(1093713853.817:0): avc: denied { search } for pid=3798 exe=/sbin/udev name=contexts dev=hda2 ino=4509745 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:default_context_t tclass=dir Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:updfstab_t tclass=dbus Aug 28 10:24:22 fedora kernel: audit(1093713853.819:0): avc: denied { execute_no_trans } for pid=3846 exe=/sbin/udev path=/etc/udev/scripts/pam_console.dev dev=hda2 ino=574019 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t tclass=file Aug 28 10:24:22 fedora dbus: avc: denied { send_msg } for scontext=system_u:system_r:updfstab_t tcontext=system_u:system_r:hald_t tclass=dbus Aug 28 10:24:22 fedora kernel: audit(1093713853.820:0): avc: denied { write } for pid=3798 exe=/sbin/udev name=fscreate dev=proc ino=248905750 scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=file
[BTW: When I reboot, /etc/fstab has been relabeled to type tmp_t. Is the above causing this?]
I rebooted strict/permissive, and things appear OK, including loading of sound modules.
However, as noted above, something is relabeling /etc/fstab to tmp_t:
Aug 28 10:33:21 fedora gdm(pam_unix)[3786]: session opened for user tbl by (uid=0) Aug 28 10:33:21 fedora kernel: audit(1093714401.349:0): avc: denied { read } for pid=3786 exe=/usr/bin/gdm-binary name=fstab dev=hda2 ino=4654141 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:tmp_t tclass=file Aug 28 10:33:21 fedora kernel: audit(1093714401.350:0): avc: denied { getattr } for pid=3786 exe=/usr/bin/gdm-binary path=/etc/fstab dev=hda2 ino=4654141 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:tmp_t tclass=file
I believe I'm running a 'stock' Rawhide system.
tom
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Please try it out and let me know how it goes.
btw i didn't see an acknowledgement from the person who sent the last udev patch (dan was it you?)
the use of the "mode" argument it is clear has not been used, to call i think it was matchpathcon.
instead, because i had three near-identical code portions all of which had different S_IFXXX thingies, dan-i-think-it-was moved the near-identical code into a function with a "mode" argument...
... and forgot to use the "mode" argument such that matchpathcon is called with S_IFDIR.
given that i haven't seen an acknowledgement of this issue either in my inbox or on the mailing lists (which i am checking manually) i thought it best to hassle people until i know it's been spotted.
this is IMPORTANT because it will impact the contexts on inodes and stuff created in /dev: the "optimising" argument "mode" passed to matchpathcon and setfscreatecon, if wrong, results in relevant (and correct!) file_context entries being skipped!
l.
On Sun, Aug 29, 2004 at 05:37:17PM +1000, Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Luke Kenneth Casson Leighton wrote:
btw i didn't see an acknowledgement from the person who sent the last udev patch (dan was it you?)
the use of the "mode" argument it is clear has not been used, to call i think it was matchpathcon.
instead, because i had three near-identical code portions all of which had different S_IFXXX thingies, dan-i-think-it-was moved the near-identical code into a function with a "mode" argument...
... and forgot to use the "mode" argument such that matchpathcon is called with S_IFDIR.
given that i haven't seen an acknowledgement of this issue either in my inbox or on the mailing lists (which i am checking manually) i thought it best to hassle people until i know it's been spotted.
this is IMPORTANT because it will impact the contexts on inodes and stuff created in /dev: the "optimising" argument "mode" passed to matchpathcon and setfscreatecon, if wrong, results in relevant (and correct!) file_context entries being skipped!
l.
On Sun, Aug 29, 2004 at 05:37:17PM +1000, Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes it was me and I modified out udev rpm, but I guess I never responded. Sorry about that.
Luke thanks for the fix.
Dan
--- udev-030/Makefile.selinux 2004-07-09 13:59:09.000000000 -0400 +++ udev-030/Makefile 2004-08-27 09:28:25.000000000 -0400 @@ -25,6 +25,8 @@ # Leave this set to `false' for production use. DEBUG = false
+# Set this to compile with Security-Enhanced Linux support. +USE_SELINUX = true
ROOT = udev DAEMON = udevd @@ -172,6 +174,11 @@
CFLAGS += -I$(PWD)/libsysfs
+ifeq ($(strip $(USE_SELINUX)),true) + CFLAGS += -DUSE_SELINUX + LIB_OBJS += -lselinux +endif + all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER) @extras="$(EXTRAS)" ; for target in $$extras ; do \ echo $$target ; \ @@ -216,6 +223,7 @@ udevdb.h \ klibc_fixups.h \ logging.h \ + selinux.h \ list.h
ifeq ($(strip $(USE_KLIBC)),true) --- udev-030/selinux.h.selinux 2004-08-27 15:27:32.211405217 -0400 +++ udev-030/selinux.h 2004-08-27 15:26:31.620370476 -0400 @@ -0,0 +1,80 @@ +#ifndef SELINUX_H +#define SELINUX_H + +#ifndef USE_SELINUX + +static inline void selinux_setfilecon(char *file, unsigned int mode) { } +static inline void selinux_setfscreatecon(char *file, unsigned int mode) {} +static inline void selinux_init(void) {} +static inline void selinux_restore(void) {} + +#else + +#include <selinux/selinux.h> + +static int selinux_enabled=-1; +static security_context_t prev_scontext=NULL; + +static inline int is_selinux_running(void) { + if ( selinux_enabled==-1 ) + return selinux_enabled=is_selinux_enabled()>0; + return selinux_enabled; +} +static inline void selinux_setfilecon(char *file, unsigned int mode) { + if (is_selinux_running()) { + security_context_t scontext=NULL; + if (matchpathcon(file, mode, &scontext) < 0) { + dbg("matchpathcon(%s) failed\n", file); + } else { + + if (setfilecon(file, scontext) < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } + } +} + +static inline void selinux_setfscreatecon(char *file, unsigned int mode) { + int retval = 0; + security_context_t scontext=NULL; + + if (is_selinux_running()) { + if (matchpathcon(file, mode, &scontext) < 0) { + dbg("matchpathcon(%s) failed\n", file); + } else { + retval=setfscreatecon(scontext); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } + } +} +static inline void selinux_init(void) { + /* record the present security context, for file-creation + * restoration creation purposes. + * + */ + + if (is_selinux_running()) + { + if (getfscreatecon(&prev_scontext) < 0) { + dbg("getfscreatecon failed\n"); + } + prev_scontext=NULL; + } +} +static inline void selinux_restore(void) { + if (is_selinux_running()) { + /* reset the file create context to its former glory */ + if ( setfscreatecon(prev_scontext) < 0 ) + dbg("setfscreatecon failed\n"); + if (prev_scontext) { + freecon(prev_scontext); + prev_scontext=NULL; + } + } +} +#endif /* USE_SELINUX */ +#endif /* SELINUX_H */ --- udev-030/udev-add.c.selinux 2004-08-26 13:06:56.000000000 -0400 +++ udev-030/udev-add.c 2004-08-26 14:16:05.000000000 -0400 @@ -50,6 +50,8 @@
#define LOCAL_USER "$local"
+#include "selinux.h" + /* * Right now the major/minor of a device is stored in a file called * "dev" in sysfs. @@ -92,6 +94,7 @@ break; *pos = 0x00; if (stat(p, &stats)) { + selinux_setfscreatecon(p, S_IFDIR); retval = mkdir(p, 0755); if (retval != 0) { dbg("mkdir(%s) failed with error '%s'", @@ -117,6 +120,7 @@ if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) && (stats.st_rdev == makedev(major, minor))) { dbg("preserve file '%s', cause it has correct dev_t", file); + selinux_setfilecon(file,stats.st_mode); if (udev_preserve_owner) goto exit; else @@ -129,6 +133,7 @@ dbg("already present file '%s' unlinked", file);
create: + selinux_setfscreatecon(file, mode); retval = mknod(file, mode, makedev(major, minor)); if (retval != 0) { dbg("mknod(%s, %#o, %u, %u) failed with error '%s'", @@ -307,6 +312,7 @@
dbg("symlink(%s, %s)", linktarget, filename); if (!fake) { + selinux_setfscreatecon(filename, S_IFLNK); unlink(filename); if (symlink(linktarget, filename) != 0) dbg("symlink(%s, %s) failed with error '%s'", @@ -441,6 +447,7 @@
dbg("name='%s'", dev.name);
+ selinux_init(); switch (dev.type) { case 'b': case 'c': @@ -478,6 +485,7 @@ }
exit: + selinux_restore(); sysfs_close_class_device(class_dev);
return retval;
On Mon, Aug 30, 2004 at 02:17:30PM -0400, Daniel J Walsh wrote:
Luke Kenneth Casson Leighton wrote:
btw i didn't see an acknowledgement from the person who sent the last udev patch (dan was it you?)
the use of the "mode" argument it is clear has not been used, to call i think it was matchpathcon.
instead, because i had three near-identical code portions all of which had different S_IFXXX thingies, dan-i-think-it-was moved the near-identical code into a function with a "mode" argument...
... and forgot to use the "mode" argument such that matchpathcon is called with S_IFDIR.
given that i haven't seen an acknowledgement of this issue either in my inbox or on the mailing lists (which i am checking manually) i thought it best to hassle people until i know it's been spotted.
this is IMPORTANT because it will impact the contexts on inodes and stuff created in /dev: the "optimising" argument "mode" passed to matchpathcon and setfscreatecon, if wrong, results in relevant (and correct!) file_context entries being skipped!
l.
On Sun, Aug 29, 2004 at 05:37:17PM +1000, Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes it was me and I modified out udev rpm, but I guess I never responded. Sorry about that.
not a problem, just making sure.
i have to manually check the fedora-selinux list: if you did i must have missed it.
*whew*.
l.
Russell,
Thanks, but it didn't quite work. The following change to dbusd.te seems to make graphical login work under strict/enforcing.
Please correct/improve... :) tom
--- /root/src.package/policy/domains/program/dbusd.te 2004-08-29 11:38:27.000000000 -0700 +++ dbusd.te 2004-08-29 12:19:25.000000000 -0700 @@ -32,3 +32,7 @@
# SE-DBus specific permissions allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg }; + +allow user_t etc_dbusd_t:dir { search }; +allow user_t etc_dbusd_t:file { getattr read }; +allow user_t user_t:netlink_selinux_socket { bind create };
Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Please try it out and let me know how it goes.
On Sun, 2004-08-29 at 12:32 -0700, Tom London wrote:
Russell,
Thanks, but it didn't quite work. The following change to dbusd.te seems to make graphical login work under strict/enforcing.
I think we need to rework the dbusd.te to break it into dbusd_system_t and dbusd_{user,staff}_t.
On Mon, 30 Aug 2004 05:32, Tom London selinux@comcast.net wrote:
--- /root/src.package/policy/domains/program/dbusd.te 2004-08-29 11:38:27.000000000 -0700 +++ dbusd.te 2004-08-29 12:19:25.000000000 -0700 @@ -32,3 +32,7 @@
# SE-DBus specific permissions allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg }; + +allow user_t etc_dbusd_t:dir { search }; +allow user_t etc_dbusd_t:file { getattr read }; +allow user_t user_t:netlink_selinux_socket { bind create };
One thing to remember is that any time you see user_t in policy it's a local customisation or a bug.
In this case it seems to me that one correct way of writing policy for this is the following: allow { dbus_client_domain userdomain } etc_dbusd_t:dir { search }; allow { dbus_client_domain userdomain } etc_dbusd_t:file { getattr read }; allow { dbus_client_domain userdomain } user_t:netlink_selinux_socket { bind create };
But then we are granting almost every domain that has any significance in the security of the system read access. So why not just label the files as etc_t and remove the etc_dbusd_t type entirely?
On Wed, 2004-09-01 at 02:37, Russell Coker wrote:
One thing to remember is that any time you see user_t in policy it's a local customisation or a bug.
In this case it seems to me that one correct way of writing policy for this is the following: allow { dbus_client_domain userdomain } etc_dbusd_t:dir { search }; allow { dbus_client_domain userdomain } etc_dbusd_t:file { getattr read }; allow { dbus_client_domain userdomain } user_t:netlink_selinux_socket { bind create };
But then we are granting almost every domain that has any significance in the security of the system read access. So why not just label the files as etc_t and remove the etc_dbusd_t type entirely?
These permissions shouldn't be granted directly to the user domains. We need per-userdomain dbusd domains defined via a macro for the per-session message bus.
On Wed, 2004-09-01 at 07:33, Stephen Smalley wrote:
These permissions shouldn't be granted directly to the user domains. We need per-userdomain dbusd domains defined via a macro for the per-session message bus.
BTW, note that in the rawhide policy, Dan (or someone) has added a domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t) to dbusd.te as a workaround so that the per-session bus daemons also run in dbusd_t, but that isn't truly what we want in the long term.
Russell,
The following changes to udev.te seem needed.... (If udev shouldn't be reading file_contexts, then dontaudit?)
Please correct/improve, tom
--- /tmp/patches/udev.te 2004-08-29 11:35:48.000000000 -0700 +++ udev.te 2004-08-29 12:40:58.000000000 -0700 @@ -44,7 +44,9 @@
# to read the file_contexts file allow udev_t { selinux_config_t default_context_t }:dir search; -allow udev_t default_context_t:file { getattr read }; +allow udev_t { selinux_config_t default_context_t }:file { getattr read }; +allow udev_t file_context_t:dir { search }; +allow udev_t file_context_t:file { getattr read };
allow udev_t policy_config_t:dir { search }; allow udev_t proc_t:file { read };
Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Please try it out and let me know how it goes.
Tom London wrote:
Russell,
The following changes to udev.te seem needed.... (If udev shouldn't be reading file_contexts, then dontaudit?)
udev needs to read file_contexts. It is doing a matchpathcon in order to setup the devices with the correct context.
Please correct/improve, tom
--- /tmp/patches/udev.te 2004-08-29 11:35:48.000000000 -0700 +++ udev.te 2004-08-29 12:40:58.000000000 -0700 @@ -44,7 +44,9 @@
# to read the file_contexts file allow udev_t { selinux_config_t default_context_t }:dir search; -allow udev_t default_context_t:file { getattr read }; +allow udev_t { selinux_config_t default_context_t }:file { getattr read }; +allow udev_t file_context_t:dir { search }; +allow udev_t file_context_t:file { getattr read };
allow udev_t policy_config_t:dir { search }; allow udev_t proc_t:file { read };
Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Please try it out and let me know how it goes.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, Aug 30, 2004 at 02:20:32PM -0400, Daniel J Walsh wrote:
Tom London wrote:
Russell,
The following changes to udev.te seem needed.... (If udev shouldn't be reading file_contexts, then dontaudit?)
udev needs to read file_contexts. It is doing a matchpathcon in order to setup the devices with the correct context.
dan, dan, you MUST fix the bug in that patch before making changes to the selinux policy files for udev!!!
matchpathcon() is being called with S_IFDIR not with the mode argument!
l.
Thanks Russell and Tom. Merged into sourceforge policy using r_dir_file() for selinux_config_t, file_context_t, and default_context_t.
Showing only the part changed from Russell's patch:
--- domains/program/unused/udev.te 27 Aug 2004 13:14:05 -0000 1.17 +++ domains/program/unused/udev.te 30 Aug 2004 19:36:44 -0000 @@ -32,19 +31,19 @@ allow udev_t device_t:blk_file create_file_perms; allow udev_t device_t:chr_file create_file_perms; allow udev_t device_t:sock_file create_file_perms; -allow udev_t etc_t:file { getattr read execute }; +allow udev_t device_t:lnk_file create_lnk_perms; +allow udev_t etc_t:file { getattr read }; allow udev_t { bin_t sbin_t }:dir r_dir_perms; allow udev_t { sbin_t bin_t }:lnk_file read; -can_exec(udev_t, { shell_exec_t bin_t sbin_t } ) +allow udev_t bin_t:lnk_file read; +can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } ) can_exec(udev_t, udev_exec_t) -can_exec(udev_t, hostname_exec_t) -can_exec(udev_t, iptables_exec_t) r_dir_file(udev_t, sysfs_t) allow udev_t sysadm_tty_device_t:chr_file { read write }; allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms }; -# to read the file_contexts file? -r_dir_file(udev_t, policy_config_t) +# to read the file_contexts file +r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
allow udev_t policy_config_t:dir { search }; allow udev_t proc_t:file { read };
On Sun, 2004-08-29 at 15:53, Tom London wrote:
Russell,
The following changes to udev.te seem needed.... (If udev shouldn't be reading file_contexts, then dontaudit?)
Please correct/improve, tom
--- /tmp/patches/udev.te 2004-08-29 11:35:48.000000000 -0700 +++ udev.te 2004-08-29 12:40:58.000000000 -0700 @@ -44,7 +44,9 @@
# to read the file_contexts file allow udev_t { selinux_config_t default_context_t }:dir search; -allow udev_t default_context_t:file { getattr read }; +allow udev_t { selinux_config_t default_context_t }:file { getattr read }; +allow udev_t file_context_t:dir { search }; +allow udev_t file_context_t:file { getattr read };
allow udev_t policy_config_t:dir { search }; allow udev_t proc_t:file { read };
Russell Coker wrote:
On Sun, 29 Aug 2004 04:29, Tom London selinux@comcast.net wrote:
Newest Rawhide updates (including udev-030-10, mkinitrd-4.1.8-1, kernel-2.6.8-1.532, and selinux-policy-strict-1.17.5-2) now boots in strict/enforcing.
I've attached a diff against the CVS policy as well as the .te and .fc files for udev changes which fix this and address some other issues as well.
Please try it out and let me know how it goes.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
selinux@lists.fedoraproject.org