Bug 128304

Summary: udev needs fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-07-26 15:01:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom London 2004-07-21 16:02:15 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040625

Description of problem:
udev does not call fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb.

When running with SELINUX enabled, the file descriptor
for .udev.tdb is left open when spawning restorecon.
This causes a check for read/write access to it in
the new process/context which fails:

     Jul 19 18:56:06 fedora kernel: audit(1090288566.034:0): avc: 
denied  { read write } for  pid=14959 exe=/sbin/udev name=.udev.tdb
dev=hda2 ino=2698913 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:device_t tclass=file

I've traced the 'calls' to restorecon during a reboot showing args and
open file descriptors.  Here is a sampling of the ones from udev
(notice fd 4 in each case. fd 3 also may be superfluous):

params:/dev/lp0
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2446/fd
params:/dev/snd/timer
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2632/fd
params:/dev/snd/pcmC0D0p
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2668/fd
params:/dev/snd/pcmC0D0c
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2675/fd
params:/dev/snd/controlC0
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2678/fd


Version-Release number of selected component (if applicable):
udev-029-4

How reproducible:
Always

Steps to Reproduce:
1. udev starts when running in strict/enforcing mode
2. 
3.
    

Actual Results:  lots of avc denial messages.....

Additional info:

Comment 1 Tom London 2004-07-21 17:29:33 UTC
Sorry, I pasted the wrong log message in the above message.  Here are
correct ones:

Jul 19 20:47:16 fedora kernel: audit(1090295205.741:0): avc:  denied 
{ read write } for  pid=992 exe=/sbin/restorecon path=/dev/.udev.tdb
dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:udev_tbl_t tclass=file

Jul 19 20:47:16 fedora kernel: audit(1090295205.748:0): avc:  denied 
{ read write } for  pid=993 exe=/sbin/restorecon path=/dev/.udev.tdb
dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:udev_tbl_t tclass=file


Comment 2 Tom London 2004-07-23 01:30:42 UTC
I've worked around the problem by explicitly closing fd 4 in
/etc/dev.d/default/selinux.dev:

replacing the line
       /sbin/restorecon $DEVNAME
with
       /sbin/restorecon $DEVNAME 4<&-
makes the restorecon succeed.
[Of course, this will not work if /dev/.udev.tdb
is not opened to fd 4.]

Probably a better fix would be to close this fd
before the execv() in run_program() (in dev_d.c).
Best done with a call to udevdb_exit().  Here's
a patch.  I have not compiled/tested it.

[I didn't trace the code to see if any other fd's
needed to be closed before the execv()......]

*** dev_d.c     2004-07-02 11:17:02.000000000 -0700
--- dev_d.c.new 2004-07-22 18:27:22.138044730 -0700
***************
*** 26,31 ****
--- 26,32 ----
  #include <unistd.h>
  #include "udev.h"
  #include "udev_lib.h"
+ #include "udevdb.h"
  #include "logging.h"
   
  #define DEVD_DIR                      "/etc/dev.d/"
***************
*** 41,46 ****
--- 42,48 ----
        switch (pid) {
        case 0:
                /* child */
+               udevdb_exit();  /* close udevdb */
                execv(name, main_argv);
                dbg("exec of child failed");
                exit(1);