From: russell@coker.com.au (Russell Coker)
To: selinux@tycho.nsa.gov
Subject: new kernel patch
Date: Fri, 13 Dec 2002 22:48:04 +0100 [thread overview]
Message-ID: <20021213214804.GA1781@lyta.coker.com.au> (raw)
The new version seems to have a bug related to file labelling that affects
devfs.
If I type "ls -l /dev/floppy/0" on a devfs system and the floppy.o module is
not loaded then the kernel will signal the devfsd daemon (through
/dev/.devfsd) that this has been attempted. In a default configuration the
devfsd will then run "modprobe /dev/floppy/0" and as the modutils config has
an alias for /dev/floppy/0 to "floppy" the floppy.o device driver is loaded.
With this new kernel it appears that the labelling takes place at a different
stage such that the devfsd gets to access a device that is not fully
labelled.
You can see the log entry below, it does not log the action, and it claims
that there is a file named /dev/floppy which is bogus. There can be
no file under /dev on a devfs system so any reference to tclass=file and
dev=00:06 means a kernel bug. Without reading the kernel code in question
I guess that file is the default tclass (defined to 0?).
But interestingly after logging >20 of the following messages the kernel
then proceeds to assign the right type to the device nodes that have been
created and then everything goes fine. Of course I expect this to fail
catastrophically in the case of device nodes that need my devfs shared
object to label them, but I haven't got around to testing this yet.
avc: denied { } for pid=65 exe=/sbin/devfsd path=/floppy dev=00:06 ino=527 scontext=system_u:system_r:devfsd_t tcontext=system_u:object_r:unlabeled_t tclass=file
PS The reason my system is unable to run my usual email program is due
to a conflict between unofficial Debian KDE packages that I've been using
and the new official Debian package og QT. Just in case you were
wondering. ;)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2002-12-13 21:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-13 21:48 Russell Coker [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-12-16 18:27 new kernel patch Stephen D. Smalley
2002-12-16 20:15 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021213214804.GA1781@lyta.coker.com.au \
--to=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.