Fedora and udev
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Aug 24 14:18:28 UTC 2004
On Tue, Aug 24, 2004 at 08:06:41PM +1000, Russell Coker wrote:
> On Tue, 24 Aug 2004 19:28, Luke Kenneth Casson Leighton <lkcl at lkcl.net> wrote:
> > 2) it ONLY set the permissions on the inode NOT on any symlinks and NOT
> > on any directories or subdirectories created.
>
> This part is OK. We have moved to using device_t (the default) as the context
> for all directories and sym-links under /dev.
great, then the policy modifications i've made will be of some
value in pointing you in the right direction, i'll endeavour to
clean them up, sort them out [dammit i just did that and ended
up accidentally deleting it, i _must_ try to stop the habit of
reusing filenames f g h x y and z]
i'm attaching also my modified /etc/init.d/udev file.
as you can see it calls /sbin/restoredevicefiles (sent earlier)
after the make_extra_nodes() call has been made.
why? because it is necessary to do a restorecon on every item
created in /dev, and this is _before_ udev is running, and it is
_to_ get udev running!
i mean, sure, it's fine to grant udev permission to do stuff to
device_t:file/directory instead (or as well?) such that it can
"get started" and then "replace" or "re-restore" permissions on
entries listed in /etc/udev/links.conf, that's another approach
i imagine could be taken.
> > if the file_contexts stuff was somehow pre-munged and
> > transferred into kernel, and the regexp matching code (or
> > something similar) was _also_ transferred into the kernel,
> > then this problem would go away.
>
> I think it's already been decided not to do that.
oh. right. ah well. Next :)
More information about the fedora-selinux-list
mailing list