Bug 128304 - udev needs fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb
udev needs fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: udev (Show other bugs)
rawhide
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-21 12:02 EDT by Tom London
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-07-26 11:01:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2004-07-21 12:02:15 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040625

Description of problem:
udev does not call fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb.

When running with SELINUX enabled, the file descriptor
for .udev.tdb is left open when spawning restorecon.
This causes a check for read/write access to it in
the new process/context which fails:

     Jul 19 18:56:06 fedora kernel: audit(1090288566.034:0): avc: 
denied  { read write } for  pid=14959 exe=/sbin/udev name=.udev.tdb
dev=hda2 ino=2698913 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:device_t tclass=file

I've traced the 'calls' to restorecon during a reboot showing args and
open file descriptors.  Here is a sampling of the ones from udev
(notice fd 4 in each case. fd 3 also may be superfluous):

params:/dev/lp0
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2446/fd
params:/dev/snd/timer
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2632/fd
params:/dev/snd/pcmC0D0p
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2668/fd
params:/dev/snd/pcmC0D0c
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2675/fd
params:/dev/snd/controlC0
total 6
lrwx------  1 root root 64 Jul 21 07:28 0 -> socket:[906]
l-wx------  1 root root 64 Jul 21 07:28 1 -> /root/file
l-wx------  1 root root 64 Jul 21 07:28 2 -> pipe:[914]
lrwx------  1 root root 64 Jul 21 07:28 3 -> socket:[915]
lrwx------  1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb
lr-x------  1 root root 64 Jul 21 07:28 5 -> /proc/2678/fd


Version-Release number of selected component (if applicable):
udev-029-4

How reproducible:
Always

Steps to Reproduce:
1. udev starts when running in strict/enforcing mode
2. 
3.
    

Actual Results:  lots of avc denial messages.....

Additional info:
Comment 1 Tom London 2004-07-21 13:29:33 EDT
Sorry, I pasted the wrong log message in the above message.  Here are
correct ones:

Jul 19 20:47:16 fedora kernel: audit(1090295205.741:0): avc:  denied 
{ read write } for  pid=992 exe=/sbin/restorecon path=/dev/.udev.tdb
dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:udev_tbl_t tclass=file

Jul 19 20:47:16 fedora kernel: audit(1090295205.748:0): avc:  denied 
{ read write } for  pid=993 exe=/sbin/restorecon path=/dev/.udev.tdb
dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:udev_tbl_t tclass=file
Comment 2 Tom London 2004-07-22 21:30:42 EDT
I've worked around the problem by explicitly closing fd 4 in
/etc/dev.d/default/selinux.dev:

replacing the line
       /sbin/restorecon $DEVNAME
with
       /sbin/restorecon $DEVNAME 4<&-
makes the restorecon succeed.
[Of course, this will not work if /dev/.udev.tdb
is not opened to fd 4.]

Probably a better fix would be to close this fd
before the execv() in run_program() (in dev_d.c).
Best done with a call to udevdb_exit().  Here's
a patch.  I have not compiled/tested it.

[I didn't trace the code to see if any other fd's
needed to be closed before the execv()......]

*** dev_d.c     2004-07-02 11:17:02.000000000 -0700
--- dev_d.c.new 2004-07-22 18:27:22.138044730 -0700
***************
*** 26,31 ****
--- 26,32 ----
  #include <unistd.h>
  #include "udev.h"
  #include "udev_lib.h"
+ #include "udevdb.h"
  #include "logging.h"
   
  #define DEVD_DIR                      "/etc/dev.d/"
***************
*** 41,46 ****
--- 42,48 ----
        switch (pid) {
        case 0:
                /* child */
+               udevdb_exit();  /* close udevdb */
                execv(name, main_argv);
                dbg("exec of child failed");
                exit(1);

Note You need to log in before you can comment on or make changes to this bug.