[redhat-lspp] dev_allocator, udev and import/export requirements
Stephen Smalley
sds at tycho.nsa.gov
Thu Sep 8 14:18:25 UTC 2005
On Thu, 2005-09-08 at 09:26 -0400, Steve Grubb wrote:
> Me too. What is the real need for this utility? Does it play nicely with
> lockdev? How does it differ from just doing a chcon on the device?
I don't know about lockdev. As far as just doing a chcon, dev_allocator
appears to differ in that:
- it handles authorization of access to the device,
- it handles synchronization of access to the device,
- it determines the context to assign to the device node dynamically
based on the allocating process,
- it handles related operations like eject/close as part of the
allocation/unallocation so that the relabeling is synchronized with the
insertion of particular media.
That does go beyond a simple chcon.
> This should be the responsibility of the OS to compare labels
I think runtime enforcement is still handled based on the device node
context; it is just an issue of how that context is assigned to the
device node. file_contexts/udev/restorecon only lets you specify a
single context for the device and doesn't deal with dynamic allocation
of the device to users at differing contexts.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list