From: vaclav.ovsik@i.cz (=?iso-8859-2?Q?V=E1clav_Ovs=EDk?=) Date: Mon, 1 Sep 2008 19:12:32 +0200 Subject: [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds Message-ID: <20080901171232.GA4104@bobek.pm.i.cz> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, I am running Debian unstable (Sid) with latest refpolicy packaged by Russel Coker (2:0.0.20080702-6) with unconfined module (permissive mode). I have caught problem with running update-initramfs under unconfined user (system initrd image generation). The hook script udev is trying to discover libraries used by udev running command "ldd /sbin/udev", which emits: [ 180.506850] type=1400 audit(1219673765.136:5): avc: denied { use } for pid=1944 comm="udevd" path="/dev/tty1" dev=tmpfs ino=998 scontext=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0 tclass=fd [ 180.534524] type=1300 audit(1219673765.136:5): arch=40000003 syscall=11 success=yes exit=0 a0=8f93ee8 a1=8f93e68 a2=8f7d008 a3=0 items=0 ppid=1936 pid=1944 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) One wants to see output from udevd --help e.g. also... So attached is a patch. Thanks -- Zito -------------- next part -------------- Index: selinux-policy-src/policy/modules/system/udev.te =================================================================== --- selinux-policy-src.orig/policy/modules/system/udev.te 2008-08-14 15:44:13.000000000 +0200 +++ selinux-policy-src/policy/modules/system/udev.te 2008-08-14 15:45:56.000000000 +0200 @@ -106,6 +106,7 @@ domain_read_all_domains_state(udev_t) domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +domain_use_interactive_fds(udev_t) files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t)