Bug#851933: udev: /lib/udev/hwdb.bin gets wrong SE Linux label

Michael Biebl biebl at debian.org
Wed May 31 18:32:22 BST 2017


Control: tags -1 + confirmed

On Fri, 20 Jan 2017 15:39:14 +1100 Russell Coker <russell at coker.com.au>
wrote:
> Package: udev
> Version: 232-12
> Severity: normal
> 
> The command "systemd-hwdb --usr update" as run from
> /var/lib/dpkg/info/udev.postinst creates the file /lib/udev/hwdb.bin and
> assigns it the SE Linux context "system_u:object_r:default_t:s0" when it
> should have "system_u:object_r:bin_t:s0" with the current policy.


I've setup a test stretch VM enabling SELinux following the instructions
from [1] and can reproduce the issue.

Running "systemd-hwdb --usr update" creates the cache file as
/lib/udev/hwdb.bin with context "system_u:object_r:default_t:s0".

Running "systemd-hwdb update" creates the cache file as
/etc/udev/hwdb.bin with context "system_u:object_r:etc_t:s0", which
seems to be the correct context (as restorecon doesn't change it).

The selinux context should be set by label_fix:
https://github.com/systemd/systemd/blob/master/src/hwdb/hwdb.c#L682

I haven't debugged yet, why that doesn't work for --usr.


[1] https://wiki.debian.org/SELinux/Setup
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20170531/82b96806/attachment-0001.sig>


More information about the Pkg-systemd-maintainers mailing list