udev has had udev_selinux removed - argh!

udev has had udev_selinux removed - argh!

[Luke Kenneth Casson Leighton]

hi there,

gentoo have pulled udev from their distribution because the
udev_selinux program has been removed from udev and replaced
with a /etc/dev.d/default/selinux script.

whilst this is reported as "WorkingForRedHat(tm)", i would
be very grateful if the functionality could be returned such
that it can be optionally compiled back in.

udev_selinux is not like udev_dbus: udev_dbus was pulled because
it took 1 millisecond per file (most likely due to dbus not having
a threadpool and not having unix-domain-socket listeners in its server
back-end).

i have a question for you: is there the possibility of a race
condition in between udev creating nodes in /dev, and the
scripts in /etc/dev.d/default getting at them?

for example, could /dev/usbtts0 be created if i plug in a USB modem,
and hotplug or a manual process fire up pppd BEFORE
/etc/dev.d/default/selinux gets to it?

because if so, things are going to fail unexpectedly.

how has this issue been addressed in udev, and also, whilst
i realise that Fedora accept the /etc/dev.d/default/selinux
change, it should concern you that gentoo do not [and therefore,
like a lemming oblique stroke sheep, i'd rather not, for my
debian distro].

l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id\x10040&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: udev has had udev_selinux removed - argh!

[Greg KH]

On Thu, Jul 29, 2004 at 10:47:17AM +0100, Luke Kenneth Casson Leighton wrote:
> hi there,
> 
> gentoo have pulled udev from their distribution because the
> udev_selinux program has been removed from udev and replaced
> with a /etc/dev.d/default/selinux script.

No they have not.  As the Gentoo udev maintainer, I would have heard
about this :)  I see it in the gentoo tree just fine.

Now as to issues if the "hardened Gentoo" people currently like to use
udev or not, well that is a different issue...

> whilst this is reported as "WorkingForRedHat(tm)", i would
> be very grateful if the functionality could be returned such
> that it can be optionally compiled back in.

Great, send me patches to do this.  I'm not a selinux developer, so I
rely on someone else to support this if they want to.  The previous
patches for selinux in udev were not working, so they were removed.

> i have a question for you: is there the possibility of a race
> condition in between udev creating nodes in /dev, and the
> scripts in /etc/dev.d/default getting at them?

Only if your startup scripts are stupid.  :)

> for example, could /dev/usbtts0 be created if i plug in a USB modem,
> and hotplug or a manual process fire up pppd BEFORE
> /etc/dev.d/default/selinux gets to it?

That's a different question than the one above.
Sure, that could happen, it just proves that udev needs to have selinux
support added into it, to prevent this from happening.

> because if so, things are going to fail unexpectedly.

Yup.  Good luck :)

> how has this issue been addressed in udev, and also, whilst
> i realise that Fedora accept the /etc/dev.d/default/selinux
> change, it should concern you that gentoo do not [and therefore,
> like a lemming oblique stroke sheep, i'd rather not, for my
> debian distro].

Again, patches are welcome.

thanks,

greg k-h


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: udev has had udev_selinux removed - argh!

[Luke Kenneth Casson Leighton]

hello greg,

well i tried compiling udev-024 and it was a pain, plus i got udev-030
to work and decided it wasn't worth the effort, the users can
JustLiveWithIt(tm) until it's fixed properly.

greg, do you have any objections to me doing a "proper" job, which
is to patch udev-add.c to use some libselinux1 functions that will
"prime" the selinux module with the right context, such that
when the node (and the symlink!) are individually created, they
are individually created with the correct context - there and then.

not post-creation, which is what udev_selinux and also the use of
restorecon do.

l.

On Thu, Jul 29, 2004 at 11:50:34AM -0700, Greg KH wrote:
> On Thu, Jul 29, 2004 at 10:47:17AM +0100, Luke Kenneth Casson Leighton wrote:
> > hi there,
> > 
> > gentoo have pulled udev from their distribution because the
> > udev_selinux program has been removed from udev and replaced
> > with a /etc/dev.d/default/selinux script.
> 
> No they have not.  As the Gentoo udev maintainer, I would have heard
> about this :)  I see it in the gentoo tree just fine.
> 
> Now as to issues if the "hardened Gentoo" people currently like to use
> udev or not, well that is a different issue...

 ah, likely.  

> > whilst this is reported as "WorkingForRedHat(tm)", i would
> > be very grateful if the functionality could be returned such
> > that it can be optionally compiled back in.
> 
> Great, send me patches to do this.  I'm not a selinux developer, so I
> rely on someone else to support this if they want to.  The previous
> patches for selinux in udev were not working, so they were removed.
> 
> > i have a question for you: is there the possibility of a race
> > condition in between udev creating nodes in /dev, and the
> > scripts in /etc/dev.d/default getting at them?
> 
> Only if your startup scripts are stupid.  :)
> 
> > for example, could /dev/usbtts0 be created if i plug in a USB modem,
> > and hotplug or a manual process fire up pppd BEFORE
> > /etc/dev.d/default/selinux gets to it?
> 
> That's a different question than the one above.
> Sure, that could happen, it just proves that udev needs to have selinux
> support added into it, to prevent this from happening.
> 
> > because if so, things are going to fail unexpectedly.
> 
> Yup.  Good luck :)
> 
> > how has this issue been addressed in udev, and also, whilst
> > i realise that Fedora accept the /etc/dev.d/default/selinux
> > change, it should concern you that gentoo do not [and therefore,
> > like a lemming oblique stroke sheep, i'd rather not, for my
> > debian distro].
> 
> Again, patches are welcome.
> 
> thanks,
> 
> greg k-h

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: udev has had udev_selinux removed - argh!

[Kay Sievers]

On Thu, 2004-07-29 at 21:40 +0100, Luke Kenneth Casson Leighton wrote:
> hello greg,
> 
> well i tried compiling udev-024 and it was a pain, plus i got udev-030
> to work and decided it wasn't worth the effort, the users can
> JustLiveWithIt(tm) until it's fixed properly.
> 
> greg, do you have any objections to me doing a "proper" job, which
> is to patch udev-add.c to use some libselinux1 functions that will
> "prime" the selinux module with the right context, such that
> when the node (and the symlink!) are individually created, they
> are individually created with the correct context - there and then.

How do we solve the klibc build, if selinux is used internally? We've
moved it to a external program for that reason.

Kay



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: udev has had udev_selinux removed - argh!

[Luke Kenneth Casson Leighton]

On Thu, Jul 29, 2004 at 10:45:15PM +0200, Kay Sievers wrote:
> On Thu, 2004-07-29 at 21:40 +0100, Luke Kenneth Casson Leighton wrote:
> > hello greg,
> > 
> > well i tried compiling udev-024 and it was a pain, plus i got udev-030
> > to work and decided it wasn't worth the effort, the users can
> > JustLiveWithIt(tm) until it's fixed properly.
> > 
> > greg, do you have any objections to me doing a "proper" job, which
> > is to patch udev-add.c to use some libselinux1 functions that will
> > "prime" the selinux module with the right context, such that
> > when the node (and the symlink!) are individually created, they
> > are individually created with the correct context - there and then.
> 
> How do we solve the klibc build, if selinux is used internally? We've
> moved it to a external program for that reason.
 
  if i understand you correctly (i don't know what klibc is):

  i'd recommend leaving it up to distributions to decide
  to create (or not) two _separate_ packages, se_udev and udev.

  if you can at least provide an option --with-selinux in the
  configure script, distros can make the decision.

  l.



-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: udev has had udev_selinux removed - argh!

[Marco d'Itri]

On Jul 29, Kay Sievers <kay.sievers@vrfy.org> wrote:

> How do we solve the klibc build, if selinux is used internally? We've
> moved it to a external program for that reason.
Eventually initramfs tools will have to support selinux too, until then
I think we can safely assume that people needing a klibc-linked udev
will not use selinux.

-- 
ciao, |
Marco | [7369 inV7ugMmso4Kk]


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel