/systemd

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux label for /etc/udev/hwdb.bin is etc_t instead of systemd_hwdb_etc_t after "#systemd-hwdb update" #3458

Closed
wrabcak opened this Issue Jun 7, 2016 · 5 comments

Comments

Assignees
No one assigned
Labels
Milestone
No milestone
4 participants
@wrabcak @evverx @poettering @sourcejedi
@wrabcak

wrabcak commented Jun 7, 2016

Submission type

  • Bug report
  • Request for enhancement (RFE)

systemd version the issue has been seen with

systemd-230

Used distribution

Fedora Rawhide

In case of bug report: Expected behaviour you didn't see

ls -Z hwdb.bin
unconfined_u:object_r:systemd_hwdb_etc_t:s0 hwdb.bin

In case of bug report: Unexpected behaviour you saw

ls -Z hwdb.bin
unconfined_u:object_r:etc_t:s0 hwdb.bin

In case of bug report: Steps to reproduce the problem

rm /etc/udev/hwdb.bin
systemd-hwdb update
ls -Z /etc/udev/hwdb.bin

systemd-hwdb update doing:
Deleting /etc/udev/hwdb.bin file, then file "/etc/udev/.#hwdb.binXXXXXX" is created and after then renamed to /etc/udev/hwdb.bin
This is problem from SELinux policy point of view. I cannot create filename transtion rule for file ".#hwdb.binXXXXXX" due to non-constant name. Is it possible ti have always same name of ".#hwdb.binXXXXXX"?

@wrabcak wrabcak changed the title from SELinux label for /etc/udev/hwdb.bin is etc_t insted systemd_hwdb_etc_t after "#systemd-hwdb update" to SELinux label for /etc/udev/hwdb.bin is etc_t instead of systemd_hwdb_etc_t after "#systemd-hwdb update" Jun 7, 2016

@evverx

This comment has been minimized.

Show comment
Hide comment
@evverx

evverx Jun 7, 2016

Member

Is it possible ti have always same name of ".#hwdb.binXXXXXX"

I think systemd-hwdb should use label_fix or so
Member

evverx commented Jun 7, 2016

Is it possible ti have always same name of ".#hwdb.binXXXXXX"

I think systemd-hwdb should use label_fix or so
@poettering

This comment has been minimized.

Show comment
Hide comment
@poettering

poettering Jun 7, 2016

Member

yeah, label_fix appears to be the answer here. Happy to take a patch for that.
Member

poettering commented Jun 7, 2016

yeah, label_fix appears to be the answer here. Happy to take a patch for that.

@poettering poettering added udev selinux labels Jun 7, 2016

evverx added a commit to evverx/systemd that referenced this issue Jun 7, 2016

@evverx
hwdb: selinuxify a bit 
-bash-4.3# rm /etc/udev/hwdb.bin
-bash-4.3# systemd-hwdb update
-bash-4.3# ls -Z /etc/udev/hwdb.bin
system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin

Fixes: systemd#3458
6a0f43b

@evverx evverx referenced this issue Jun 7, 2016

Merged

hwdb: selinuxify a bit #3460

@evverx

This comment has been minimized.

Show comment
Hide comment
@evverx

evverx Jun 7, 2016

Member

fix waiting in #3460
Member

evverx commented Jun 7, 2016

fix waiting in #3460

@poettering poettering closed this in #3460 Jun 7, 2016

poettering added a commit that referenced this issue Jun 7, 2016

@evverx @poettering
hwdb: selinuxify a bit (#3460) 
-bash-4.3# rm /etc/udev/hwdb.bin
-bash-4.3# systemd-hwdb update
-bash-4.3# ls -Z /etc/udev/hwdb.bin
system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin

Fixes: #3458
ea68351
@sourcejedi

This comment has been minimized.

Show comment
Hide comment
@sourcejedi

sourcejedi Aug 15, 2017

Contributor

Surely the approach with label_fix() races with hotplug, so we accept potential spurious SELinux denial pop-ups. Following the original suggestion (like passwd) would still have allowed preventing write conflicts, using whatever unix locking construct is considered least horrifying.

Locking would also make it possible to guarantee that if two hwdb updates are running at the same time, the one with the older view of the conf files is not overwritten by the one with the more recent view.
Contributor

sourcejedi commented Aug 15, 2017

Surely the approach with label_fix() races with hotplug, so we accept potential spurious SELinux denial pop-ups. Following the original suggestion (like passwd) would still have allowed preventing write conflicts, using whatever unix locking construct is considered least horrifying.

Locking would also make it possible to guarantee that if two hwdb updates are running at the same time, the one with the older view of the conf files is not overwritten by the one with the more recent view.
@sourcejedi

This comment has been minimized.

Show comment
Hide comment
@sourcejedi

sourcejedi Aug 15, 2017

Contributor

... or move After=systemd-hwdb.service from systemd-udev-trigger.service to systemd-udev.service. I'll send a PR.
Contributor

sourcejedi commented Aug 15, 2017

... or move After=systemd-hwdb.service from systemd-udev-trigger.service to systemd-udev.service. I'll send a PR.

sourcejedi added a commit to sourcejedi/systemd that referenced this issue Aug 15, 2017

@sourcejedi
units: order service(s) before udevd, not udev-trigger (coldplug) 
Since hotplugs happen as soon as udevd is started, there is not much sense
in giving udev-trigger an After= dependency on any service.  The device
could be hotplugged before coldplug starts.

This is intended to avoid the race window where we create the hwdb with
the wrong selinux context (then fix it up afterwards).
systemd#3458 (comment)
1d422b1

andir added a commit to andir/systemd that referenced this issue Sep 7, 2017

@sourcejedi @andir
units: order service(s) before udevd, not udev-trigger (coldplug) 
Since hotplugs happen as soon as udevd is started, there is not much sense
in giving udev-trigger an After= dependency on any service.  The device
could be hotplugged before coldplug starts.

This is intended to avoid the race window where we create the hwdb with
the wrong selinux context (then fix it up afterwards).
systemd#3458 (comment)
72b1963

andir added a commit to andir/systemd that referenced this issue Sep 22, 2017

@sourcejedi @andir
units: order service(s) before udevd, not udev-trigger (coldplug) 
Since hotplugs happen as soon as udevd is started, there is not much sense
in giving udev-trigger an After= dependency on any service.  The device
could be hotplugged before coldplug starts.

This is intended to avoid the race window where we create the hwdb with
the wrong selinux context (then fix it up afterwards).
systemd#3458 (comment)
fcadb0c

whot pushed a commit to whot/systemd that referenced this issue Oct 10, 2017

@evverx @jsynacek
hwdb: selinuxify a bit (systemd#3460) 
-bash-4.3# rm /etc/udev/hwdb.bin
-bash-4.3# systemd-hwdb update
-bash-4.3# ls -Z /etc/udev/hwdb.bin
system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin

Fixes: systemd#3458

(cherry picked from commit ea68351)
Resolves: #1343648
ca82178

dm0- added a commit to dm0-/systemd that referenced this issue Oct 30, 2018

@dm0-
Merge pull request systemd#3458 from dm0-/rust 
Drop our Rust bootstrapping customizations
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
7e7f671
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment