Re: .udev.tdb ?

On Wed, 21 Jul 2004 02:35, Tom London <selinux@xxxxxxxxxxx> wrote:
> Yikes.... sorry, but this doesn't look right....
> now produces hordes of 'restorecon' avcs....
>
> Jul 20 09:23:46 fedora kernel: audit(1090340592.421:0): avc:  denied  {
> read write } for  pid=991 exe=/sbin/restorecon path=/dev/.udev.tdb
> dev=hda2 ino=2698913 scontext=system_u:system_r:restorecon_t
> tcontext=system_u:object_r:udev_tbl_t tclass=file

udev calls restorecon to set the correct type of a device node it has just 
created.

restorecon has no business in opening /dev/.udev.tdb and I really doubt that 
it is doing so.  I expect that udev is opening /dev/.udev.tdb, not using 
fcntl(fd, F_SETFD, FD_CLOEXEC) to set the fd to close on execute, and not 
calling close(fd) before the exec.

Please file a bugzilla report about this.  To assist in tracking it down 
rename /sbin/restorecon to /sbin/restorecon.orig and put the following shell 
script in place as /sbin/restorecon:
#!/bin/sh
echo -n params: >> /root/file
for n in $*; do echo -n "$n "; done >> /root/file
echo "" >> /root/file
ls -l /proc/self/fd >> /root/file
exec /sbin/restorecon.orig $*

Run the machine in permissive mode while doing this and don't bother about the 
AVC messages about not being permitted to write to /root/file.

> Jul 20 09:23:47 fedora kernel: audit(1090340600.740:0): avc:  denied  {
> unlink } for  pid=1297 exe=/sbin/udev name=microcode dev=hda2
> ino=2689375 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:device_t tclass=lnk_file

allow udev_t device_t:lnk_file create_file_perms;
Add the above policy to allow this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page