From: vaclav.ovsik@i.cz (=?iso-8859-2?Q?V=E1clav_Ovs=EDk?=)
Date: Mon, 1 Sep 2008 19:12:32 +0200
Subject: [refpolicy] Debian: ldd /sbin/udevd, need to use interactive fds
Message-ID: <20080901171232.GA4104@bobek.pm.i.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,
I am running Debian unstable (Sid) with latest refpolicy packaged by
Russel Coker (2:0.0.20080702-6) with unconfined module (permissive
mode). I have caught problem with running update-initramfs under
unconfined user (system initrd image generation). The hook script udev
is trying to discover libraries used by udev running command "ldd
/sbin/udev", which emits:

[  180.506850] type=1400 audit(1219673765.136:5): avc:  denied  { use } for  pid=1944 comm="udevd" path="/dev/tty1" dev=tmpfs ino=998 scontext=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0 tclass=fd
[  180.534524] type=1300 audit(1219673765.136:5): arch=40000003 syscall=11 success=yes exit=0 a0=8f93ee8 a1=8f93e68 a2=8f7d008 a3=0 items=0 ppid=1936 pid=1944 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=unconfined_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

One wants to see output from udevd --help e.g. also...
So attached is a patch.
Thanks
-- 
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/system/udev.te
===================================================================
--- selinux-policy-src.orig/policy/modules/system/udev.te	2008-08-14 15:44:13.000000000 +0200
+++ selinux-policy-src/policy/modules/system/udev.te	2008-08-14 15:45:56.000000000 +0200
@@ -106,6 +106,7 @@
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
+domain_use_interactive_fds(udev_t)
 
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)