Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support systemd v246 #292

Closed
bauen1 opened this issue Aug 10, 2020 · 9 comments · Fixed by #331
Closed

Support systemd v246 #292

bauen1 opened this issue Aug 10, 2020 · 9 comments · Fixed by #331

Comments

@bauen1
Copy link
Contributor

bauen1 commented Aug 10, 2020

Since version 246 of systemd /usr/lib/systemd/systemd-udevd has become a symlink to /usr/bin/udevadm.
This means that udevd is now run in the udevadm_t domain, and that breaks things.

Original labels as reference:

/usr/bin/udevadm        system_u:object_r:udevadm_exec_t:SystemLow
/usr/lib/systemd/systemd-udevd  system_u:object_r:udev_exec_t:SystemLow
@egtvedt
Copy link

egtvedt commented Sep 9, 2020

I am stuck with the same issue, currently considering a workaround by reverting systemd commit systemd/systemd@63e2d17

I do not feel switching udevadm to udev_exec_t is the correct approach.

@ghost
Copy link

ghost commented Sep 9, 2020 via email

@ghost
Copy link

ghost commented Sep 9, 2020 via email

@pebenito
Copy link
Member

pebenito commented Sep 9, 2020

To me, it seems that we should change udevadm to udev_exec_t and then change the old udevadm transitions to be over udev_exec_t assuming there isn't a type transition conflict.

@egtvedt
Copy link

egtvedt commented Sep 9, 2020

Hans-Christian Egtvedt notifications@github.com writes:
I am stuck with the same issue, currently considering a workaround by reverting systemd commit @.*** I do not feel switching udevadm to udev_exec_t is the correct approach.
Why do you think that? You might have to move some rules over and add in/remove some compatibility rules, but essentially it should be the same code. That is why they decided to merge it. it was just duplicate code occupying space. You can add a typealias for compatibility. This is (at least some of it) what i did in my personal policy to address this consolidation: https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=848385ed4a145ac2967ab9a7f1d0715ebe741fd1

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
-- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift

Ack, I was mostly concerned about two quite different programs now being merged into one type, but I guess they will have the same needs with regards to access for things to work.

@egtvedt
Copy link

egtvedt commented Sep 9, 2020
edited

I tuned my local policy file context to do
/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t)

And I also had to add the following policy
allow udev_t var_run_t:file { getattr open read };

And AFAICT things work as they should again, I see no violations and run in enforcing mode.

The need for udev_t to access var_run_t:file types are due to my embedded target being a bit exotic, I think that can be ignored.

@minimaxwell
Copy link

I tuned my local policy file context to do
/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t)

And I also had to add the following policy
allow udev_t var_run_t:file { getattr open read };

And AFAICT things work as they should again, I see no violations and run in enforcing mode.

The need for udev_t to access var_run_t:file types are due to my embedded target being a bit exotic, I think that can be ignored.

I've been testing that fix locally for a while now, and it also fixes the issue. Should we send that fix as a PR ?

Thanks,

Maxime

@pebenito
Copy link
Member

There is also a patch on the mail list that is aimed a resolving this, but it doesn't have the var_run_t rule. That sounds like a mislabeled file.

@DemiMarie
Copy link

Another approach is to use SELinuxContext= in systemd-udevd.service.

pebenito added a commit to pebenito/refpolicy that referenced this issue Jan 8, 2021
@pebenito
udev: Systemd 246 merged udev and udevadm executables.
dbedc4e 
Drop init_system_domain() for udevadm to break type transition conflicts.
Also fix interface naming issues for udevadm interfaces.

Fixes SELinuxProject#292

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
@pebenito pebenito mentioned this issue Jan 8, 2021
Merged
pebenito added a commit to pebenito/refpolicy that referenced this issue Jan 8, 2021
@pebenito
udev: Systemd 246 merged udev and udevadm executables.
60bfcec 
Drop init_system_domain() for udevadm to break type transition conflicts.
Also fix interface naming issues for udevadm interfaces.

Fixes SELinuxProject#292

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

udev updates pebenito/refpolicy
5 participants
@egtvedt @pebenito @minimaxwell @DemiMarie @bauen1