Package: udev
Version: 0.105-4
Severity: normal
If SELinux is installed, then the make_extra_nodes function in the udev init
script does
/sbin/restorecon /dev/$name >/dev/null 2>/dev/null
before /dev/null has been created.
There is no reason to redirect into /dev/null anyway because restorecon
produces no output unless something goes wrong.
This results in /dev/null being created as a regular file instead of a char
device until it is recreated by udevtrigger. It gets the wrong SELinux
context, resulting in error messages such as:
Jun 8 10:50:55 tiberius kernel: audit(1181296212.884:4): avc: denied {
read write } for pid=463 comm="modprobe" name="null" dev=tmpfs ino=724
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=file
Jun 8 10:50:55 tiberius kernel: audit(1181296212.884:5): avc: denied {
getattr } for pid=463 comm="modprobe" name="null" dev=tmpfs ino=724
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=file
The attached patch fixes this.
--- System information. ---
Architecture: amd64
Kernel: Linux 2.6.21
Debian Release: lenny/sid
990 unstable www.debian-multimedia.org
990 unstable ftp.ie.debian.org
990 unstable ftp.heanet.ie
990 unstable ftp-uxsup.csx.cam.ac.uk
1 experimental ftp.ie.debian.org
1 experimental ftp-uxsup.csx.cam.ac.uk
--- Package information. ---
Depends (Version) | Installed
==============================-+-=============
libc6 (>= 2.3.5-1) | 2.6-0exp2
libselinux1 (>= 1.32) | 2.0.15-2
libvolume-id0 (>= 0.103-1) | 0.105-4
debconf (>= 0.5) | 1.5.13
OR debconf-2.0 |
lsb-base (>= 3.0-6) | 3.1-23.1
--
Martin Orr
--- debian/udev.init.orig 2007-06-11 00:04:07.000000000 +0100
+++ debian/udev.init 2007-06-11 00:05:19.000000000 +0100
@@ -73,7 +73,7 @@
*) log_warning_msg "links.conf: unparseable line ($type $name $arg1)" ;;
esac
if [ -x /sbin/restorecon ]; then
- /sbin/restorecon /dev/$name >/dev/null 2>/dev/null
+ /sbin/restorecon /dev/$name
fi
done
}
