[idea] udev + selinux
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Aug 31 11:26:44 UTC 2004
On Tue, Aug 31, 2004 at 10:49:08AM +0100, Luke Kenneth Casson Leighton wrote:
> > Seeing as my initial /dev is on a persistent
> > filesystem i don't have a problem with pre-udev stuff running.
>
> well.... you shouldn't... until you reinitialise or somehow delete,
> upgrade or otherwise modify the "old" /dev [which you will find is
> remounted --rbind to /.dev].
>
> try it: do setfiles /etc/selinux/src/file_contexts/file_contexts /.dev
> and then reboot [in permissive mode!!!]
>
> due to the present files/types.fc, you will find that the entire
> /.dev gets relabelled to something completely useless: root_t
> or default_t. i think it's default_t.
>
> consequently your next reboot in enforcing mode will fail because
> /sbin/init tries to access /dev/null and /dev/initctl etc. as
> default_t ... and it can't.
>
> should you choose to deal with this, replace /u?dev with /[\.u]dev or
> some suitable regexp that i haven't a clue how to write so i just
> did /.?u?dev and that did the trick.
it's insufficient to add /.?u?dev to just file_contexts/types.fc
you also have to search in file_contexts/program/* for /dev
and set the right context there, too.
there is i believe a bug at present in
e.g. file_contexts/program/init.fc because it only covers
/dev/initctl not /udev/initctl and not /.dev/initctl.
i think this one is the only one that's really really critical
[except on redhat of course where they all should be /u?dev]
because if /.dev/initctl gets set to default_t, you're stuffed
at next boot.
l.
More information about the fedora-selinux-list
mailing list