Bug#496535: selinux-policy-default: udevd needs use interactive fds (update-initramfs does ldd /sbin/udevd)

Mon, 25 Aug 2008 07:35:37 -0700 

Package: selinux-policy-default
Version: 2:0.0.20080702-6
Severity: normal
Tags: patch

Hi,
I catch denials while running update-initramfs (mkinitramfs) by postinst
script.

[  180.506850] type=1400 audit(1219673765.136:5): avc:  denied  { use } for  
pid=1944 comm="udevd" path="/dev/tty1" dev=tmpfs ino=998 
scontext=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:getty_t:s0 tclass=fd
[  180.534524] type=1300 audit(1219673765.136:5): arch=40000003 syscall=11 
success=yes exit=0 a0=8f93ee8 a1=8f93e68 a2=8f7d008 a3=0 items=0 ppid=1936 
pid=1944 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" 
subj=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

One wants to see output from udevd --help e.g also...
So attached is a patch.
Thanks
-- 
Zito

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules                1.0.1-3    Pluggable Authentication Modules f
ii  libselinux1                   2.0.65-4   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  policycoreutils               2.0.49-5   SELinux core policy utilities
ii  python                        2.5.2-2    An interactive high-level object-o

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.16-1   SELinux policy compiler
ii  setools                       3.3.4.ds-4 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- no debconf information

Index: selinux-policy-src/policy/modules/system/udev.te
===================================================================
--- selinux-policy-src.orig/policy/modules/system/udev.te	2008-08-14 15:44:13.000000000 +0200
+++ selinux-policy-src/policy/modules/system/udev.te	2008-08-14 15:45:56.000000000 +0200
@@ -106,6 +106,7 @@
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
+domain_use_interactive_fds(udev_t)
 
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)

Reply via email to