Ubuntu
refpolicy package

selinux-policy-ubuntu marks /dev (mounted as devtmpfs) as unlabled_t

Bug #556823 reported by Peter Moody
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
refpolicy (Ubuntu)
Fix Released
Undecided
Kees Cook
Ubuntu ubuntu-10.04
Lucid
Fix Released
Undecided
Kees Cook
Ubuntu ubuntu-10.04
selinux (Ubuntu)
Fix Released
Undecided
Kees Cook
Lucid
Fix Released
Undecided
Kees Cook

Bug Description

Binary package hint: selinux-policy-default

both refpolicy Version: 0.2.20090730-0ubuntu2 and the newer (though not ubuntu packaged) 2:0.2.20091117-1 don't know how to deal with the devtmpfs filesystem. This means that selinux labels /dev (IIRC) system_u:object_r:unlabeled_t. as a result, most users can't access any under /dev.

Adding the line:

  fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);

to policy/modules/kernel/filesystem.te, then rebuilding/reinstalling the resulting base.pp (and then rebooting), resulting in /dev being correctly labeled system_u:object_r:device_t.

tresys is aware of the issue and is, I believe, making the necessary changes to the refpolicy, but Kees Cook suggested that I file a bug (I'm not sure if you want to do anything other than wait to pull in the tresys fixes).

Cheers,
/peter

Kees Cook (kees)
Changed in selinux-policy-default (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

The restorecon stuff needs to be fixed up too.

Kees Cook (kees)
Changed in selinux-policy-default (Ubuntu Lucid):
milestone: none → ubuntu-10.04
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package selinux - 1:0.8

---------------
selinux (1:0.8) lucid; urgency=low

  * debian/selinux.{preinst,postinst}, Makefile: move /etc/initramfs-tools
    scripts to /usr/share/initramfs-tools.
  * load_policy: source functions only in initramfs.
  * mounted-dev.upstart, Makefile: move restorecon for /dev to upstart
    job (LP: #556823).
 -- Kees Cook <email address hidden> Tue, 06 Apr 2010 13:57:28 -0700

Changed in selinux (Ubuntu Lucid):
status: New → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low

  * debian/control: drop "selinux" conflict for sane installation
    in Ubuntu (Debian bug 576598).

 -- Kees Cook <email address hidden> Mon, 05 Apr 2010 13:03:23 -0700

affects: selinux-policy-default (Ubuntu Lucid) → refpolicy (Ubuntu Lucid)
Changed in refpolicy (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in selinux (Ubuntu Lucid):
assignee: nobody → Kees Cook (kees)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.