Fedora and udev
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Sun Aug 22 17:34:57 UTC 2004
On Sun, Aug 22, 2004 at 11:05:27AM -0400, Joshua Brindle wrote:
> I posted a patch here that pebenito did a while back for ramfs and lkcl
> also did one for tmpfs (which may be better for /dev since it's swappable)
> both are mostly cut and paste jobs but they add the necessary support.
>
> I'd like to reiterate though, that udev support for selinux is *broken*!
> if the correct policy isn't in place you will cause race conditions
udev is so completely full of race conditions - known to the
developers even _without_ selinux - that the general consensus
seems to be that a few more really won't hurt.
plus, i patched udev (0.030) to add in proper support for selinux
(attached previously in first response to russell's post).
that patch ensures (without saving any extra time) that the device
inodes created, and any directories, _and_ any symlinks (which the
/etc/udev/default/selinux thing most definitely didn't do) all use
setfscreatecon rather than doing a restorecon-or-equiv.
without this patch you will most likely come across issues or end
up developing an incorrect policy (that ended up with a mismatch
of default permissions from file_contexts for subdirectories and
symlinks).
joshua, when you used ramfs, can you remember what the
fscontext was for /dev when it was mounted?
l.
More information about the fedora-selinux-list
mailing list