Bug 441054
| Summary: | udev sets symlink context on symlink target | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Milan Zázrivec <mzazrivec> | ||||||||||||
| Component: | udev | Assignee: | Harald Hoyer <harald> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Milan Zázrivec <mzazrivec> | ||||||||||||
| Severity: | low | Docs Contact: | |||||||||||||
| Priority: | high | ||||||||||||||
| Version: | 5.2 | CC: | atodorov, dwalsh, harald, notting | ||||||||||||
| Target Milestone: | rc | ||||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | All | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | RHBA-2008-0374 | Doc Type: | Bug Fix | ||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2008-05-21 15:59:36 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 439080, 439082 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Milan Zázrivec
2008-04-05 16:20:25 UTC
Created attachment 301376 [details]
/var/log/messages
*** Bug 440290 has been marked as a duplicate of this bug. *** Any input on why udev is doing this Bill? Or should I just revert to the old initscript method of scanning hwconf for driver entries instead of using udevtrigger? udevtrigger generates events for the devices in /sys. I'm not sure why that would cause a relabel, though. Does echo '1' (or 'add') to /sys/block/sda/uevent cause the mislabeling as well? I can't answer your question Bill, evidently none of my machines have selinux enabled and so they all list the device as unlabeled. Milan, can you check this? (In reply to comment #4) > Does echo '1' (or 'add') to /sys/block/sda/uevent cause the mislabeling as well? Bingo! # ls -Z /dev/sda brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/sda # echo 1 > /sys/block/sda/uevent # ls -Z /dev/sda brw-r----- root disk system_u:object_r:device_t /dev/sda Created attachment 301574 [details]
/var/log/messages
If that helps, here's part of /var/log/messages showing what's happening after
# echo 1 > /sys/block/sda/uevent
Apr 8 06:19:46 ivy udevd-event[2820]: udev_node_mknod: preserve file
'/dev/sda', because it has correct dev_t
though it re-sets the selinux context...
selinux_setfilecon(file, udev->dev->kernel_name, stats.st_mode);
on creation: selinux_setfscreatecon: matchpathcon(file, mode, &scontext) setfscreatecon(scontext); mknod(...); in this case: selinux_setfilecon: matchpathcon(file, mode, &scontext) setfilecon(file, scontext); I don't see anything, which would trigger a wrong relabel. Daniel? At this point, my question is whether or not we have established that this isn't really an openib bug and this needs to be switched to another component and assigned to that person? If the devices are recreated without going through the udev code path to setfilecon or setfscreatecon they would end up labeled device_t. (In reply to comment #10) > At this point, my question is whether or not we have established that this isn't > really an openib bug and this needs to be switched to another component and > assigned to that person? None of the openib bits have to be present for this problem to pop up. All you have to do is to run udevtrigger. I'm not sure what's actually causing the problem, but I certainly don't want this bugzilla to be sitting in a wrong component. Is there anything I can help with? I think this should be moved to udev. Seems like a problem with udev setting the selinux context again for symlinks. Created attachment 301766 [details]
possible patch
Created attachment 301767 [details]
better patch
dwalsh, what context should the symlinks in /dev/disk have? # ls -Z /dev/disk/* /dev/disk/by-id: lrwxrwxrwx root root system_u:object_r:device_t ata-QEMU_HARDDISK_QM00001 -> ../../hda # ls -Z /dev/hda brw-r----- root disk system_u:object_r:fixed_disk_device_t /dev/hda SELinux is preventing /sbin/udevd (rpm_script_t) "create" to ata-QEMU_HARDDISK_QM00001 (fixed_disk_device_t). seems like we can't set the same context for the symlinks. Created attachment 301781 [details]
final patch - backported from later versions
Symlinks should not be being set, the problem here is the block devices are being mislabeled. Symlinks should be device_t while block devices should be labeled fixed_disk_device_t I'm confirming that the patch from comment #20 solves the problem (udev built locally, tested on RHEL5.2-Server-20080409.nightly / i386). Giving Devel ACK as per comment #20 and comment #22. Thanks, Read ya, Phil Verified with udev-095-14.15.el5 / RHEL5.2-Server-20080422.nightly An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0374.html |