Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
Date: Wed, 04 Mar 2015 17:03:10
Message-Id: 1425482184.a935b290f5ecc5e507a8a8c1d0e365ddc3e239f3.swift@gentoo
1 commit: a935b290f5ecc5e507a8a8c1d0e365ddc3e239f3
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Wed Mar 4 15:16:24 2015 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Wed Mar 4 15:16:24 2015 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a935b290
7
8 Allow kdevtmpfs to manage /dev
9
10 The kdevtmpfs thread (running as kernel_t) is showing behavior regarding
11 access and management of /dev. Of course, that is its main purpose (see
12 the Linux kernel source code at drivers/base/devtmpfs.c).
13
14 In bug #535992 is an example denial given:
15
16 Jan 8 01:37:29 testbed kernel: [28549.831785] audit: type=1400
17 audit(1420702649.386:1263): avc: denied { setattr } for pid=47
18 comm="kdevtmpfs" name="dm-6" dev="devtmpfs" ino=10993394
19 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t
20 tclass=blk_file permissive=1
21
22 During the LVM2 related testing something similar comes up:
23
24 time->Wed Mar 4 15:43:29 2015
25 type=AVC msg=audit(1425480209.997:137): avc: denied { getattr } for
26 pid=16 comm="kdevtmpfs" path="/dm-3" dev="devtmpfs" ino=11400
27 scontext=system_u:system_r:kernel_t:s0
28 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
29 permissive=0
30
31 Although there is no error message available, given the function of
32 kdevtmpfs and the "trusted" domain that kernel_t is, we grant it full
33 manage rights on the device_node and device_t resources.
34
35 X-Gentoo-Bug: 535992
36 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=535992
37
38 policy/modules/kernel/kernel.te | 4 +++-
39 1 file changed, 3 insertions(+), 1 deletion(-)
40
41 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
42 index 2639a5a..a48cf63 100644
43 --- a/policy/modules/kernel/kernel.te
44 +++ b/policy/modules/kernel/kernel.te
45 @@ -437,5 +437,7 @@ ifdef(`distro_gentoo',`
46 #
47 allow kernel_t unlabeled_t:dir search_dir_perms;
48
49 - dev_setattr_generic_chr_files(kernel_t)
50 + # To support kdevtmpfs properly (its purpose is to manage the /dev tmpfs so grant it these rights)
51 + # See also bug 535992
52 + dev_manage_all_dev_nodes(kernel_t)
53 ')
Report Message
Find on MARC Find on Google Groups