[idea] udev + selinux
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Mon Aug 30 20:31:40 UTC 2004
On Mon, Aug 30, 2004 at 07:37:44PM +0200, Nigel Kukard wrote:
> Just an idea, but why not have udev set the context on its root path?
you mean on /dev, i presume?
well i had to patch selinux/hooks.c to allow this [on a tmpfs]
by relaxing the criteria of the "fscontext=" option for mount.
otherwise it's not _possible_ t set the context on /dev as it is
mounted [on a tmpfs].
[if /dev was a persistent filesystem everything would be hunky-dory
and this wouldn't be an issue].
with that in mind, it's more that because you're putting device
inodes into a non-persistent filesystem, you end up getting the
"default" rules and so you must "restore" the contexts, or
you must patch udev to "understand" the contents of
/etc/selinux/src/file_contexts/file_contexts (using matchpathcon()
and setfscreatecon() from libselinux) such that it will create
inodes with the right file context.
like i said, if /dev was a persistent filesystem, and if device
inodes never disappeared, this wouldn't be a problem: you could run
setfiles /etc/selinux/src/file_contexts/file_contexts /dev and
be done with it...
... but that's not how udev works: it deletes and creates inodes
on demand; nothing exists at boot-time, it's all created on-demand.
so, not only must udev be patched to restore contexts but also
the policies and various hacks added to "cope" with /dev being
incredibly basic at startup - prior to udev running.
_including_ dealing with getting the contexts correct on entries
in /.dev [the old /dev remounted with mount --rbind]
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl at lkcl.net"> lkcl at lkcl.net </a> <br />
More information about the fedora-selinux-list
mailing list