Bug 128304
Summary: | udev needs fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
Component: | udev | Assignee: | Harald Hoyer <harald> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-07-26 15:01:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom London
2004-07-21 16:02:15 UTC
Sorry, I pasted the wrong log message in the above message. Here are correct ones: Jul 19 20:47:16 fedora kernel: audit(1090295205.741:0): avc: denied { read write } for pid=992 exe=/sbin/restorecon path=/dev/.udev.tdb dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:udev_tbl_t tclass=file Jul 19 20:47:16 fedora kernel: audit(1090295205.748:0): avc: denied { read write } for pid=993 exe=/sbin/restorecon path=/dev/.udev.tdb dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:udev_tbl_t tclass=file I've worked around the problem by explicitly closing fd 4 in /etc/dev.d/default/selinux.dev: replacing the line /sbin/restorecon $DEVNAME with /sbin/restorecon $DEVNAME 4<&- makes the restorecon succeed. [Of course, this will not work if /dev/.udev.tdb is not opened to fd 4.] Probably a better fix would be to close this fd before the execv() in run_program() (in dev_d.c). Best done with a call to udevdb_exit(). Here's a patch. I have not compiled/tested it. [I didn't trace the code to see if any other fd's needed to be closed before the execv()......] *** dev_d.c 2004-07-02 11:17:02.000000000 -0700 --- dev_d.c.new 2004-07-22 18:27:22.138044730 -0700 *************** *** 26,31 **** --- 26,32 ---- #include <unistd.h> #include "udev.h" #include "udev_lib.h" + #include "udevdb.h" #include "logging.h" #define DEVD_DIR "/etc/dev.d/" *************** *** 41,46 **** --- 42,48 ---- switch (pid) { case 0: /* child */ + udevdb_exit(); /* close udevdb */ execv(name, main_argv); dbg("exec of child failed"); exit(1); |