Bug 122970 – kernel_t needs to be able to execute udev_exec_t?

Bug 122970 - kernel_t needs to be able to execute udev_exec_t?

Summary:	kernel_t needs to be able to execute udev_exec_t?

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	policy (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:	SELinux

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2004-05-10 16:12 EDT by Aleksey Nogin
Modified:	2007-11-30 17:10 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-06-23 15:31:28 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Aleksey Nogin 2004-05-10 16:12:49 EDT

I was getting a _huge_ number of avc messages telling me that kernel_t
was denied executing udev_exec_t.

I ended up adding the following to my local policy mods, but I have no
idea if that was a right thing to do:

allow kernel_t udev_exec_t:file { read execute };
allow kernel_t udev_t:process transition;
type_transition kernel_t udev_exec_t:process udev_t;
allow kernel_t udev_t:process { noatsecure rlimitinh siginh };
allow udev_t kernel_t:fifo_file { read write };
allow udev_t kernel_t:process { sigchld };
allow udev_t kernel_t:unix_dgram_socket { read write ioctl };

Comment 1 Daniel Walsh 2004-05-10 16:20:46 EDT

Does adding 
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
to udev.te fix your problem?

Dan

Comment 2 Aleksey Nogin 2004-05-10 16:33:53 EDT

I am not sure (I am not really understand udev, so I am not sure how
to tell whether it is really working properly) - I was more interested
in getting rid of the udev avc messages than in getting it to work.
Also note that I had to add other things, including unix_dgram_socket
and fifo_file lines.

In short, I can report the avc messages I see, but I am not the right
person to really test the udev policies.

Comment 3 Aleksey Nogin 2004-05-12 01:35:37 EDT

Somehow, once I enable the transition from kernel_t to udev_t on
udev_exec_t, udev_t ends up calling hotplug scripts:

allow udev_t hotplug_etc_t:file { getattr read };
        #EXE=/bin/bash  PATH=/etc/hotplug/hotplug.functions   :  getattr
        #EXE=/bin/bash  NAME=hotplug.functions   :  read
        #EXE=/bin/bash  PATH=/etc/hotplug/net.agent   :  getattr

Currently my experimental (end pretty much untested) policy mods for
udev include the following:

domain_auto_trans(kernel_t, udev_exec_t, udev_t)
domain_auto_trans(udev_t, hotplug_etc_t, hotplug_t)
allow udev_t kernel_t:unix_dgram_socket { read write ioctl };
allow udev_t var_run_t:file { read };
allow udev_t hotplug_etc_t:dir { getattr search };

The var_run_t is here because of the avcs with
exe=/sbin/pam_console_setowner name=console.lock
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:var_run_t
tclass=file

Comment 4 Daniel Walsh 2004-06-02 14:45:02 EDT

Fixed in selinux-policy-strict-1.13.2-7.src.rpm

Note You need to log in before you can comment on or make changes to this bug.