Device nodes have no type when booting a 2.6.32.*.fc12 kernel

Tue May 25 18:47:04 UTC 2010

On Mon, May 24, 2010 at 12:28 PM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Mon, 2010-05-24 at 15:07 -0400, Stephen Smalley wrote:
>> On Mon, 2010-05-24 at 11:54 -0700, Karl-Michael Schneider wrote:
>> > I have fc12 installed on a Lenovo R61 laptop with two kernels:
>> >
>> > kernel-2.6.31.12-174.2.22.fc12.i686
>> > kernel-2.6.32.12-115.fc12.i686
>> >
>> > The 2.6.31 kernel has no problem. But when I try to boot the 2.6.32
>> > kernel it fails because SELinux is blocking access to device nodes. I
>> > can only boot the 2.6.32 kernel in single user mode. The reason is
>> > that /dev and all files in it have no type:
>> >
>> > $ ls -lZ /dev
>> > crw-------. root root system_u:object_r:unlabeled_t:s0 agpgart
>> <snip>
>> > The filesystem is ext3 on LVM:
>> >
>> > $ cat /etc/fstab
>> > /dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
>> > ...
>> >
>> > The filesystem was created when I installed FC9. Later I upgraded to
>> > FC12. But the problem only appeared when the kernel was updated from
>> > 2.6.31 to 2.6.32. All 2.6.32 kernels so far had the same problem.
>> >
>> > I have already relabeled the filesystem, but it didn't help. I tried
>> > restorecon -R -v /dev after booting the 2.6.32 kernel but it didn't do
>> > anything.
>>
>> Sounds like the devtmpfs mount with a policy that doesn't know about it.
>> dmesg | grep SELinux
>> grep /dev /proc/mounts
>
> I suspect your policy update didn't go cleanly and aborted during %post,
> especially if you tried going all the way from F9 to F12.  I'd suggest
> doing:
> mv /etc/selinux/targeted /etc/selinux/targeted.orig
> yum reinstall selinux-policy-targeted

Thanks. This resolved the /dev labeling problem.

Now I got security exceptions for a number of applications. I remember
I got the same exceptions after I upgraded to FC12. So I booted with
enforcing=0 and built a local policy module from audit.log as
described in the audit2allow man page. I post it here:

module local 1.0;

require {
       type unconfined_t;
       type system_dbusd_var_run_t;
       type sound_device_t;
       type usr_t;
       type xdm_var_lib_t;
       type dri_device_t;
       type NetworkManager_t;
       type user_home_t;
       type var_spool_t;
       type initrc_t;
       type system_dbusd_t;
       type var_lock_t;
       type xdm_dbusd_t;
       type session_dbusd_tmp_t;
       type unlabeled_t;
       type removable_device_t;
       type consolekit_t;
       type var_lib_t;
       type gnomeclock_t;
       type gconfd_exec_t;
       type var_t;
       type xdm_t;
       class process sigchld;
       class unix_stream_socket connectto;
       class dbus send_msg;
       class chr_file { getattr setattr };
       class file { rename execute setattr read execmod getattr
execute_no_trans write ioctl unlink open create append };
       class sock_file { write create unlink };
       class blk_file { getattr setattr };
       class dir { write search setattr read remove_name add_name };
}

#============= NetworkManager_t ==============
allow NetworkManager_t unlabeled_t:file { ioctl execute read open
getattr execute_no_trans };
allow NetworkManager_t var_lib_t:file { read create open getattr };
allow NetworkManager_t var_lock_t:dir search;

#============= consolekit_t ==============
allow consolekit_t dri_device_t:chr_file { getattr setattr };
allow consolekit_t removable_device_t:blk_file { getattr setattr };
allow consolekit_t sound_device_t:chr_file { getattr setattr };

#============= gnomeclock_t ==============
allow gnomeclock_t initrc_t:dbus send_msg;

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t usr_t:file execmod;

#============= unlabeled_t ==============
allow unlabeled_t unconfined_t:process sigchld;

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t gconfd_exec_t:file { read execute open execute_no_trans };
allow xdm_dbusd_t self:unix_stream_socket connectto;
allow xdm_dbusd_t session_dbusd_tmp_t:sock_file { write create unlink };
allow xdm_dbusd_t system_dbusd_t:dbus send_msg;
allow xdm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow xdm_dbusd_t system_dbusd_var_run_t:dir search;
allow xdm_dbusd_t system_dbusd_var_run_t:sock_file write;
allow xdm_dbusd_t xdm_t:unix_stream_socket connectto;
#!!!! The source type 'xdm_dbusd_t' can write to a 'dir' of the following types:
# session_dbusd_tmp_t, tmp_t

allow xdm_dbusd_t xdm_var_lib_t:dir { read write add_name remove_name };
#!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following type:
# session_dbusd_tmp_t

allow xdm_dbusd_t xdm_var_lib_t:file { rename read create write
getattr unlink open append };

#============= xdm_t ==============
allow xdm_t initrc_t:dbus send_msg;
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t session_dbusd_tmp_t:dir setattr;
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# xserver_log_t, var_log_t, xdm_log_t, pam_var_run_t, xdm_var_lib_t,
xdm_var_run_t, xdm_home_t, pam_var_console_t, pcscd_var_run_t,
xkb_var_lib_t, xdm_rw_etc_t, var_lock_t, root_t, tmp_t, var_t,
user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t,
user_home_dir_t, locale_t, var_auth_t, tmpfs_t, var_spool_t,
user_tmp_t, auth_cache_t, var_lib_t, var_run_t, xdm_tmpfs_t,
xdm_tmp_t, root_t, nfs_t

allow xdm_t session_dbusd_tmp_t:dir { write remove_name add_name };
allow xdm_t session_dbusd_tmp_t:sock_file { write create unlink };
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t user_home_t:file { write rename };
allow xdm_t var_spool_t:file unlink;
allow xdm_t var_t:dir setattr;
allow xdm_t var_t:file { write rename create unlink setattr };