[ubuntu-hardened] selinux on lucid

Kees Cook kees at ubuntu.com
Tue Apr 6 19:16:01 BST 2010

Hi Peter,

On Tue, Apr 06, 2010 at 10:58:32AM -0700, Peter Moody wrote:
> https://bugs.launchpad.net/ubuntu/+source/selinux-policy-default/+bug/556697

Cool; I uploaded a fix for this yesterday; hopefully it is sufficient.

> >>   2) according to /proc, dev is mounted as /devtmpfs, which selinux
> >> doesn't know how to treat by default (it gets labeled as
> >> system_u:object_r:unlabeled_t). on #selinux, I found that by adding:
> >>
> >>   fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
> >>
> >> to policy/modules/kernel/filesystem.te, rebuilding and reloading
> >> base.pp, /dev/ is suddenly recognized and is labeled
> >> system_u:object_r:device_t:s0. This is true in both
> >> selinux-policy-default (refpolicy version 2:0.2.20091117-1) and
> >> selinux-policy-ubuntu (refpolicy version 0.2.20090730)
> >>
> >> do I open bugs on ubuntu or with tresys?
> >
> > Probably both, I'm not sure what the most correct solution for /dev
> > should be, but I can fix the selinux-policy-default version glitch.  :)
> So the suggestion from #selinux, to add the line:
>   fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
> to kernel/filesystem.te and rebuilding/reinstalling base.pp works.
> did you want me to file another bug on launchpad for this (I'm going
> to separately try to get tresys to fix it in the refpolicy)

Yeah, if you could open a bug, that'd be nice.  Sounds like both refpolicy
and refpolicy-ubuntu packages need to be adjusted for this.

Caleb, do you have any other changes to go into refpolicy-ubuntu for
the Lucid cycle?


Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list