From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040625 Description of problem: udev does not call fcntl(fd, F_SETFD, FD_CLOEXEC) for .udev.tdb. When running with SELINUX enabled, the file descriptor for .udev.tdb is left open when spawning restorecon. This causes a check for read/write access to it in the new process/context which fails: Jul 19 18:56:06 fedora kernel: audit(1090288566.034:0): avc: denied { read write } for pid=14959 exe=/sbin/udev name=.udev.tdb dev=hda2 ino=2698913 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:device_t tclass=file I've traced the 'calls' to restorecon during a reboot showing args and open file descriptors. Here is a sampling of the ones from udev (notice fd 4 in each case. fd 3 also may be superfluous): params:/dev/lp0 total 6 lrwx------ 1 root root 64 Jul 21 07:28 0 -> socket:[906] l-wx------ 1 root root 64 Jul 21 07:28 1 -> /root/file l-wx------ 1 root root 64 Jul 21 07:28 2 -> pipe:[914] lrwx------ 1 root root 64 Jul 21 07:28 3 -> socket:[915] lrwx------ 1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb lr-x------ 1 root root 64 Jul 21 07:28 5 -> /proc/2446/fd params:/dev/snd/timer total 6 lrwx------ 1 root root 64 Jul 21 07:28 0 -> socket:[906] l-wx------ 1 root root 64 Jul 21 07:28 1 -> /root/file l-wx------ 1 root root 64 Jul 21 07:28 2 -> pipe:[914] lrwx------ 1 root root 64 Jul 21 07:28 3 -> socket:[915] lrwx------ 1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb lr-x------ 1 root root 64 Jul 21 07:28 5 -> /proc/2632/fd params:/dev/snd/pcmC0D0p total 6 lrwx------ 1 root root 64 Jul 21 07:28 0 -> socket:[906] l-wx------ 1 root root 64 Jul 21 07:28 1 -> /root/file l-wx------ 1 root root 64 Jul 21 07:28 2 -> pipe:[914] lrwx------ 1 root root 64 Jul 21 07:28 3 -> socket:[915] lrwx------ 1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb lr-x------ 1 root root 64 Jul 21 07:28 5 -> /proc/2668/fd params:/dev/snd/pcmC0D0c total 6 lrwx------ 1 root root 64 Jul 21 07:28 0 -> socket:[906] l-wx------ 1 root root 64 Jul 21 07:28 1 -> /root/file l-wx------ 1 root root 64 Jul 21 07:28 2 -> pipe:[914] lrwx------ 1 root root 64 Jul 21 07:28 3 -> socket:[915] lrwx------ 1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb lr-x------ 1 root root 64 Jul 21 07:28 5 -> /proc/2675/fd params:/dev/snd/controlC0 total 6 lrwx------ 1 root root 64 Jul 21 07:28 0 -> socket:[906] l-wx------ 1 root root 64 Jul 21 07:28 1 -> /root/file l-wx------ 1 root root 64 Jul 21 07:28 2 -> pipe:[914] lrwx------ 1 root root 64 Jul 21 07:28 3 -> socket:[915] lrwx------ 1 root root 64 Jul 21 07:28 4 -> /dev/.udev.tdb lr-x------ 1 root root 64 Jul 21 07:28 5 -> /proc/2678/fd Version-Release number of selected component (if applicable): udev-029-4 How reproducible: Always Steps to Reproduce: 1. udev starts when running in strict/enforcing mode 2. 3. Actual Results: lots of avc denial messages..... Additional info:
Sorry, I pasted the wrong log message in the above message. Here are correct ones: Jul 19 20:47:16 fedora kernel: audit(1090295205.741:0): avc: denied { read write } for pid=992 exe=/sbin/restorecon path=/dev/.udev.tdb dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:udev_tbl_t tclass=file Jul 19 20:47:16 fedora kernel: audit(1090295205.748:0): avc: denied { read write } for pid=993 exe=/sbin/restorecon path=/dev/.udev.tdb dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:udev_tbl_t tclass=file
I've worked around the problem by explicitly closing fd 4 in /etc/dev.d/default/selinux.dev: replacing the line /sbin/restorecon $DEVNAME with /sbin/restorecon $DEVNAME 4<&- makes the restorecon succeed. [Of course, this will not work if /dev/.udev.tdb is not opened to fd 4.] Probably a better fix would be to close this fd before the execv() in run_program() (in dev_d.c). Best done with a call to udevdb_exit(). Here's a patch. I have not compiled/tested it. [I didn't trace the code to see if any other fd's needed to be closed before the execv()......] *** dev_d.c 2004-07-02 11:17:02.000000000 -0700 --- dev_d.c.new 2004-07-22 18:27:22.138044730 -0700 *************** *** 26,31 **** --- 26,32 ---- #include <unistd.h> #include "udev.h" #include "udev_lib.h" + #include "udevdb.h" #include "logging.h" #define DEVD_DIR "/etc/dev.d/" *************** *** 41,46 **** --- 42,48 ---- switch (pid) { case 0: /* child */ + udevdb_exit(); /* close udevdb */ execv(name, main_argv); dbg("exec of child failed"); exit(1);