# SELinux & udev: wrong labels?

## Aquous

I wasn't sure whether to post this in Kernel & Hardware or Networking & Security, but since SELinux is part of the kernel and udev manages hardware I figured I'd post it here.

Basically I'm getting a lot of avc denials from udev in my system log. After googling around I came to this: https://bugzilla.redhat.com/show_bug.cgi?id=510538. It appears that udevs executables should be labeled system_u:object_r:udev_exec_t:s0. However...

```
$ ls -lZ /lib/udev/udev-acl

-rwxr-xr-x. 1 root root system_u:object_r:bin_t 44816  1 jan 13:22 /lib/udev/udev-acl

$ sudo restorecon -v /lib/udev/udev-acl

$ ls -lZ /lib/udev/udev-acl

-rwxr-xr-x. 1 root root system_u:object_r:bin_t 44816  1 jan 13:22 /lib/udev/udev-acl
```

... mine aren't.

Presumably this is what is causing my many avc denials, e.g.

```
[    5.920185] type=1400 audit(1327744691.759:3): avc:  denied  { relabelto } for  pid=1691 comm="udevd" name=".udev" dev=tmpfs ino=3125 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir

[    5.942991] type=1400 audit(1327744691.783:4): avc:  denied  { write } for  pid=1691 comm="udevd" name=".udev" dev=tmpfs ino=3125 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir

[    5.943006] type=1400 audit(1327744691.783:5): avc:  denied  { add_name } for  pid=1691 comm="udevd" name="queue.tmp" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
```

and a loooot more.

I'm using sec-policy/selinux-base-policy version 2.20110726-r11 on a fully ~amd64 system on the default/selinux profile.

Is this a bug or a misconfiguration?

----------

## Aquous

Bump.

----------

## Aquous

Bump. Time to file a bug?

----------

## Sven Vermeulen

r12 and higher (r13 is now in the tree) of selinux-base-policy should fix this..

----------

## Aquous

Unfortunately, my problem isn't fixed...

e.g.

```
[  420.985150] type=1400 audit(1330244694.989:601): avc:  denied  { getattr } for  pid=6183 comm="udev-acl.ck" name="sg1" dev=tmpfs ino=657 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file

[  420.985163] type=1400 audit(1330244694.989:602): avc:  denied  { setattr } for  pid=6183 comm="udev-acl.ck" name="sg1" dev=tmpfs ino=657 scontext=system_u:system_r:consolekit_t tcontext=system_u:object_r:scsi_generic_device_t tclass=chr_file
```

full dmesg: http://pastebin.com/jezh1yT3

This is probably PEBKAC though, hence why I haven't filed a bug report yet...

----------

