[idea] udev + selinux

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Aug 31 12:46:13 UTC 2004 

On Tue, Aug 31, 2004 at 12:27:15PM +0200, Nigel Kukard wrote:

> > > and modified udev to set the correct 
> > > context of its root_path on startup.
> > 
> >  mount -o fscontext=system_u:object_r:device_t yes?
> >
> 
> nope....   mount -t ramfs none /dev
> 
> then run   udevstart   (udevstart does the C call to restorecon on
> root_path, so it ends up being labeled with whatever is configured) 
  
  oh, does it?

  oh!

> >  did you patch selinux/hooks.c to relax the constraints on
> >  the fscontext= parameter to allow the correct context to be
> >  correctly applied?  :)
> >
> 
> correct, not sure if this is the 100% right way to do it though, I think
> it would be better for the capabilities of the fs to be set properly
> instead of commenting out code, this will have better chance being
> included mainstream.
>
 
 well if someone wants to write a new patch to hooks.c and invent
 a new mount -o option oh i dunno overridecontext=.... then sure.

 it's all the same to me.

> > > > 
> > > >  so, not only must udev be patched to restore contexts but also
> > > >  the policies and various hacks added to "cope" with /dev being
> > > >  incredibly basic at startup - prior to udev running.
> > > 
> > > i have a simple persistent /dev which is used before udev runs, udev is
> > > then initialized, mounts a tmpfs over /dev (and restores its context) 
> > 
> >  oh.  ah.... you _restore_ its context (i.e. run restorecon
> >  /dev), you don't mount it with the modified mount -o fscontext=
> >  parameter?
> 
> correct!, it does the restore in udevstart

 ok.

 my question is: is this desirable behaviour?

> > > Seeing as my initial /dev is on a persistent 
> > > filesystem i don't have a problem with pre-udev stuff running.
> > 
> >  well.... you shouldn't... until you reinitialise or somehow delete,
> >  upgrade or otherwise modify the "old" /dev [which you will find is
> >  remounted --rbind to /.dev].
> 
> got no reason to add other entries to the pre-udev /dev, so as I said
> ItWorksForMe(tm).
> 
> > 
> >  try it: do setfiles /etc/selinux/src/file_contexts/file_contexts /.dev
> >  and then reboot [in permissive mode!!!]
> > 
> >  due to the present files/types.fc, you will find that the entire
> >  /.dev gets relabelled to something completely useless: root_t
> >  or default_t.  i think it's default_t.
> 
> yep, i'm 100% aware of this... i don't need /.dev, nor do I have it, nor
> do I want it ... heh, on installation of our distribution the pre-udev
> /dev is created and labeled correctly.

 ... how?

 and can you guarantee that it will _stay_ labelled correctly?


> > 
> >  consequently your next reboot in enforcing mode will fail because
> >  /sbin/init tries to access /dev/null and /dev/initctl etc. as
> >  default_t ... and it can't.
> > 
> 
> yep, but as I said... i don't label pre-udev /dev when udev is running,
> before I added it to our distro installer I mounted /dev/hda1 (root) as
> /mnt/hda1, chroot'd onto it and re-labeled the files there  (basically
> the same thing our installer does)

 that's cheating :)

> >  the list i have so far in /etc/modules.postudev contains (for my purposes):
> > 
> >  ppp_generic
> >  nvidia
> >  sg
> > 
> 
> no probs with any of these either (and yes we do use them), the pc i'm
> on runs dual-head nvidia ;-)
 
 bizarre.

 how do you deal with that?

 perhaps an answer would be best off-selinux list because it's not
 entirely relevant to selinux, more the use of it.


> every distro is different, so i would expect some to gulp bubbles and
> some not to... *shrug*
> 
> >  i don't believe that these modules should be loaded prior to udev
> >  being run: maybe they can, maybe they can't, maybe the nodes being
> >  loaded prior will result in a pending hotplug event such that when
> >  udev is run, the node gets created.
> 
> we load them after udev, and everything ends up labeled correctly...
> 
> for instance...
> 
> ot at localhost.localdomain policy]# ls -Z /dev/ppp
> ls: /dev/ppp: No such file or directory
> [root at localhost.localdomain policy]# modprobe ppp_generic
                                       ^^^^^^^^^^^^^^^^^^^^
  this is the bit that my /etc/init.d/modutils.postudev initscript
  does for me: i'd be interested to know if you do something similar.

  i can't be telling users to do _that_ they're unlikely
  even know what a ppp is, that a modprobe is something to do
  with police investigations in the 70s into the sex pistols,
  and if you mentioned xterm they'd call rentakill.


> [root at localhost.localdomain policy]# ls -Z /dev/ppp
> crw-------  root     root     system_u:object_r:ppp_device_t   /dev/ppp
> [root at localhost.localdomain policy]#

 yes, this i'd expect to happen... _if_ the modprobe ppp_generic command
 is ever issued [and users shouldn't be expected to do it!]

> >  perhaps there should be a "hook" into tmpfs to be able to pass
> >  filenames accessed in /dev on to udev, such that udev can go
> >  "oo, they tried to access /dev/ppp, let's kick off that module,
> >   then".
> 
> if you need any of my initscripts or anything, give me a shout, i've
> nearly got a 100% functional selinux enabled server!  ;-)

 if you could place them on a convenient http-accessible server
 somewhere near you, that'd be great.

 l.

More information about the fedora-selinux-list mailing list