I was getting a _huge_ number of avc messages telling me that kernel_t was denied executing udev_exec_t. I ended up adding the following to my local policy mods, but I have no idea if that was a right thing to do: allow kernel_t udev_exec_t:file { read execute }; allow kernel_t udev_t:process transition; type_transition kernel_t udev_exec_t:process udev_t; allow kernel_t udev_t:process { noatsecure rlimitinh siginh }; allow udev_t kernel_t:fifo_file { read write }; allow udev_t kernel_t:process { sigchld }; allow udev_t kernel_t:unix_dgram_socket { read write ioctl };
Does adding domain_auto_trans(kernel_t, udev_exec_t, udev_t) to udev.te fix your problem? Dan
I am not sure (I am not really understand udev, so I am not sure how to tell whether it is really working properly) - I was more interested in getting rid of the udev avc messages than in getting it to work. Also note that I had to add other things, including unix_dgram_socket and fifo_file lines. In short, I can report the avc messages I see, but I am not the right person to really test the udev policies.
Somehow, once I enable the transition from kernel_t to udev_t on udev_exec_t, udev_t ends up calling hotplug scripts: allow udev_t hotplug_etc_t:file { getattr read }; #EXE=/bin/bash PATH=/etc/hotplug/hotplug.functions : getattr #EXE=/bin/bash NAME=hotplug.functions : read #EXE=/bin/bash PATH=/etc/hotplug/net.agent : getattr Currently my experimental (end pretty much untested) policy mods for udev include the following: domain_auto_trans(kernel_t, udev_exec_t, udev_t) domain_auto_trans(udev_t, hotplug_etc_t, hotplug_t) allow udev_t kernel_t:unix_dgram_socket { read write ioctl }; allow udev_t var_run_t:file { read }; allow udev_t hotplug_etc_t:dir { getattr search }; The var_run_t is here because of the avcs with exe=/sbin/pam_console_setowner name=console.lock scontext=system_u:system_r:udev_t tcontext=system_u:object_r:var_run_t tclass=file
Fixed in selinux-policy-strict-1.13.2-7.src.rpm