selinux-policy-ubuntu marks /dev (mounted as devtmpfs) as unlabled_t

Bug #556823 reported by Peter Moody on 2010-04-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
refpolicy (Ubuntu)
Kees Cook
Kees Cook
selinux (Ubuntu)
Kees Cook
Kees Cook

Bug Description

Binary package hint: selinux-policy-default

both refpolicy Version: 0.2.20090730-0ubuntu2 and the newer (though not ubuntu packaged) 2:0.2.20091117-1 don't know how to deal with the devtmpfs filesystem. This means that selinux labels /dev (IIRC) system_u:object_r:unlabeled_t. as a result, most users can't access any under /dev.

Adding the line:

  fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);

to policy/modules/kernel/filesystem.te, then rebuilding/reinstalling the resulting base.pp (and then rebooting), resulting in /dev being correctly labeled system_u:object_r:device_t.

tresys is aware of the issue and is, I believe, making the necessary changes to the refpolicy, but Kees Cook suggested that I file a bug (I'm not sure if you want to do anything other than wait to pull in the tresys fixes).


Kees Cook (kees) on 2010-04-06
Changed in selinux-policy-default (Ubuntu):
assignee: nobody → Kees Cook (kees)
status: New → Confirmed
Kees Cook (kees) wrote :

The restorecon stuff needs to be fixed up too.

Kees Cook (kees) on 2010-04-06
Changed in selinux-policy-default (Ubuntu Lucid):
milestone: none → ubuntu-10.04
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package selinux - 1:0.8

selinux (1:0.8) lucid; urgency=low

  * debian/selinux.{preinst,postinst}, Makefile: move /etc/initramfs-tools
    scripts to /usr/share/initramfs-tools.
  * load_policy: source functions only in initramfs.
  * mounted-dev.upstart, Makefile: move restorecon for /dev to upstart
    job (LP: #556823).
 -- Kees Cook <email address hidden> Tue, 06 Apr 2010 13:57:28 -0700

Changed in selinux (Ubuntu Lucid):
status: New → Fix Released
Kees Cook (kees) wrote :

refpolicy (2:0.2.20091117-1ubuntu1) lucid; urgency=low

  * debian/control: drop "selinux" conflict for sane installation
    in Ubuntu (Debian bug 576598).

 -- Kees Cook <email address hidden> Mon, 05 Apr 2010 13:03:23 -0700

affects: selinux-policy-default (Ubuntu Lucid) → refpolicy (Ubuntu Lucid)
Changed in refpolicy (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in selinux (Ubuntu Lucid):
assignee: nobody → Kees Cook (kees)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers