Re: selinux vs devtmpfs (vs udev)

[Harald Hoyer]

On 08/31/2010 05:26 PM, Eric Paris wrote:
> On Tue, 2010-08-31 at 11:22 -0400, Daniel J Walsh wrote:
> > On 08/31/2010 11:16 AM, Eric Paris wrote:
>
> > > I suggest a third options: Calculate the default at startup and on every
> > > policy load and fix object labels if they are the default.  I'm sure Dan
> > > knows a code example of how to do the calculation.  The pseudocode looks
> > > something like:
> >
> >
> > > lookup the label on /dev
> > > lookup the label on the initial task
> > > ask the kernel what the resulting label on a file transition with those
> > > two pieces of information will be.
> >
> >
> > NOOOOO
> >
> > libvirt is going in and changing fixed_disk_device_t:s0 to svirt_t:c0,c124
> >
> > We do not want udev to see this and ask what label a device should have
> > if libvirtd_t created a chr_file in device_t.
>
> initial task == /sbin/init
>
> actually I should look if the kernel init_cred (what devtmpfs uses to
> make security decisions) is initrc_t or kernel_t.  I'm guessing it is
> kernel_t but I'm not certain how that gets set.....
>
> -Eric

https://bugzilla.redhat.com/show_bug.cgi?id=575128#c14
https://bugzilla.redhat.com/attachment.cgi?id=442223&format=raw

udev/udev-node.c

+			/* set selinux file context on add events */
+			if (strcmp(udev_device_get_action(dev), "add") == 0)
+				udev_selinux_lsetfilecon(udev, file, mode);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/