Fedora and udev

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Aug 24 14:18:28 UTC 2004


On Tue, Aug 24, 2004 at 08:06:41PM +1000, Russell Coker wrote:
> On Tue, 24 Aug 2004 19:28, Luke Kenneth Casson Leighton <lkcl at lkcl.net> wrote:
> >  2) it ONLY set the permissions on the inode NOT on any symlinks and NOT
> >     on any directories or subdirectories created.
> 
> This part is OK.  We have moved to using device_t (the default) as the context 
> for all directories and sym-links under /dev.
 
 great, then the policy modifications i've made will be of some
 value in pointing you in the right direction, i'll endeavour to
 clean them up, sort them out [dammit i just did that and ended
 up accidentally deleting it, i _must_ try to stop the habit of
 reusing filenames f g h x y and z]

 i'm attaching also my modified /etc/init.d/udev file.

 as you can see it calls /sbin/restoredevicefiles (sent earlier)
 after the make_extra_nodes() call has been made.

 why?  because it is necessary to do a restorecon on every item
 created in /dev, and this is _before_ udev is running, and it is
 _to_ get udev running!

 i mean, sure, it's fine to grant udev permission to do stuff to
 device_t:file/directory instead (or as well?) such that it can
 "get started" and then "replace" or "re-restore" permissions on
 entries listed in /etc/udev/links.conf, that's another approach
 i imagine could be taken.


> >  if the file_contexts stuff was somehow pre-munged and
> >  transferred into kernel, and the regexp matching code (or
> >  something similar) was _also_ transferred into the kernel,
> >  then this problem would go away.
> 
> I think it's already been decided not to do that.

 oh.  right.  ah well.  Next :)

 



More information about the fedora-selinux-list mailing list