udev has had selinux support removed and now breaks with initrd (i.e. debian)

Automatically imported from Debian bug report #261945 http://bugs.debian.org/261945

Message-Id: <email address hidden>
Date: Thu, 29 Jul 2004 03:07:45 +0100
From: Luke Kenneth Casson Leighton <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: udev has had selinux support removed and now breaks with initrd (i.e. debian)

Package: udev
Version: 0.030-1
Severity: critical

it's not okay to remove the c-code that does setting of
permissions, to replace with a script.

the selinux file permissions MUST be set at device-node create time,
_not_ later.

in order to get a working system, i will need to find the old version
and use that.

this is all operating at _boot_ time from an initial ramdisk on
debian, so things like the hard drive (accessible via /dev/hda2)
aren't accessible because selinux is a MANDATORY access control
system: /dev/hda2 isn't accessible because its permissions are
set to (null) - i.e. no access - therefore i can't GET to the
restorecon program NOR to the scripts in /etc/dev.d/

please ask the developer to consider releasing two versions of
udev - se_udev and udev.

one with #ifdef WITH_SELINUX enabled, and one without.

thanks,

l.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.6-selinux1 #5 Tue May 18 16:33:29 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages udev depends on:
ii debconf [debconf-2.0] 1.4.25 Debian configuration management sy
ii hotplug 0.0.20040329-12 Linux Hotplug Scripts
ii initscripts 2.85-22.se2 Standard scripts needed for bootin
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libnewt0.51 0.51.6-5 Not Erik's Windowing Toolkit - tex
ii makedev 2.3.1-74 Creates device files in /dev

-- debconf information excluded

Irrelevant for Warty

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 10:21:14 +0200
From: Marco d'Itri <email address hidden>
To: Luke Kenneth Casson Leighton <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#261945: udev has had selinux support removed and now breaks with initrd (i.e.
 debian)

severity 261945 wishlist
tag 261945 upstream moreinfo unreproducible
thanks

On Jul 29, Luke Kenneth Casson Leighton <email address hidden> wrote:

> please ask the developer to consider releasing two versions of
> udev - se_udev and udev.
Please *you* do, apparently the new system works for red hat and I do
not know enough about selinux to argue about this.

--
ciao, |
Marco | [7332 runU/N1H1bqCE]

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 10:38:13 +0100
From: Luke Kenneth Casson Leighton <email address hidden>
To: Marco d'Itri <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#261945: udev has had selinux support removed and now breaks with initrd (i.e.
 debian)

On Thu, Jul 29, 2004 at 10:21:14AM +0200, Marco d'Itri wrote:

> On Jul 29, Luke Kenneth Casson Leighton <email address hidden> wrote:
>
> > please ask the developer to consider releasing two versions of
> > udev - se_udev and udev.

> Please *you* do, apparently the new system works for red hat and I do

 ha ha, redhat, gotta love them :)

> not know enough about selinux to argue about this.

 hiya marco,

 i have sent a message to _someone_ at least.
 http://harryh.homelinux.org/index.php?p=15

 i apologise for the message, i cut/paste the message to
 harry and it was late (about 2:30am) and i missed a bit.

 so yes, i have done.

 gentoo, who are concerned about security, have decided to pull udev
 from their distribution because of this one.

 i juuuuussst managed to get udev 0.030 to work under debian:
 i had to pull a couple of hacks but if gentoo aren't happy with
 udev 0.030 i'd rather know what's going on.

 do you happen to know: is it possible for other programs to start
 accessing device files created by udev BEFORE the
 /etc/dev.d/default/selinux stuff gets a look-in?

 i.e. is there a chance that during creation of, say /dev/usbtts0,
 a dialup modem program could be fired off by hotplug and try to
 access /dev/usbtts0 _before_ the SE/Linux permissions have been set?

 because if so (and the same problem is not present in 0.024) then
 the removal of the udev_selinux program needs to be reverted.

 if that's not a clear enough question, then please substitute, oh,
 i dunno... something else for udev_selinux and for
 /etc/dev.d/default/selinux because it's a generic issue of a possible
 race condition in the design of udev.

 l.

--
--
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:<email address hidden>"> <email address hidden> </a> <br />

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 11:40:32 +0200
From: Marco d'Itri <email address hidden>
To: Luke Kenneth Casson Leighton <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#261945: udev has had selinux support removed and now breaks with initrd (i.e.
 debian)

On Jul 29, Luke Kenneth Casson Leighton <email address hidden> wrote:

> do you happen to know: is it possible for other programs to start
> accessing device files created by udev BEFORE the
> /etc/dev.d/default/selinux stuff gets a look-in?
Yes, udev is *full* of races.
But the worst that should happen in these situations is EPERM.

--
ciao, |
Marco | [7335 imEb.KPmMYAME]

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 12:12:48 +0100
From: Luke Kenneth Casson Leighton <email address hidden>
To: Marco d'Itri <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#261945: udev has had selinux support removed and now breaks with initrd (i.e.
 debian)

On Thu, Jul 29, 2004 at 11:40:32AM +0200, Marco d'Itri wrote:
> On Jul 29, Luke Kenneth Casson Leighton <email address hidden> wrote:
>
> > do you happen to know: is it possible for other programs to start
> > accessing device files created by udev BEFORE the
> > /etc/dev.d/default/selinux stuff gets a look-in?
> Yes, udev is *full* of races.

 oh dearie me :)

> But the worst that should happen in these situations is EPERM.

 oh well, c'est la vie. *sigh*.

Message-ID: <email address hidden>
Date: Sun, 12 Sep 2004 17:46:47 +0200
From: Marco d'Itri <email address hidden>
To: <email address hidden>
Subject: Re: Bug#261945: udev has had selinux support removed and now breaks with initrd (i.e.
 debian)

I remember you discussed this on the upstream mailing list, so I'm
closing this bug.

--
ciao, |
Marco | [7955 biaGLYVTh67XQ]

Message-ID: <email address hidden>
Date: Sun, 12 Sep 2004 19:42:16 +0100
From: Luke Kenneth Casson Leighton <email address hidden>
To: <email address hidden>
Subject: Re: Bug#261945 acknowledged by developer (Re: Bug#261945: udev has had selinux support
 removed and now breaks with initrd (i.e. debian))

okay!

people seem to be dealing with it (redhat people)

l.

On Sun, Sep 12, 2004 at 09:48:07AM -0700, Debian Bug Tracking System wrote:

> I remember you discussed this on the upstream mailing list, so I'm
> closing this bug.