* Re: Bug#258725: Location of net.agent [not found] ` <1089615747.2520.213.camel@localhost.localdomain> @ 2004-07-12 8:33 ` Luke Kenneth Casson Leighton 2004-07-12 11:16 ` Russell Coker 0 siblings, 1 reply; 3+ messages in thread From: Luke Kenneth Casson Leighton @ 2004-07-12 8:33 UTC (permalink / raw) To: Thomas Hood; +Cc: 258725, Alexander E. Patrakov, SE-Linux On Mon, Jul 12, 2004 at 09:02:27AM +0200, Thomas Hood wrote: > The reason for using net.agent is precisely to delay the processing > of hotplug network-interface events until such time as the system is > ready to bring up network interfaces. ah ha :) > We don't want to switch off the hotplug system prior to this because > then we would miss the events. switch off? surely you mean switch on? > Is it really the case that it would be preferable, for SELinux reasons, > to put net.agent into a subdirectory of /etc/hotplug/ ? the alternative is to make a special case for every single file that could possibly, now and in the future, write into the directory /etc/hotplug. as you might imagine, that gets quite messy quite quickly. by recommending a subdirectory, it is possible to do the selinux-equivalent of setgid, such that any file in that subdirectory will be made writeable to the hotplug scripts. (and incidentally, not by anything else _other_ than the hotplug scripts, but that's another story) it would also then be possible for distributions that guarantee the existence of /var on a local filesystem that will have been mounted by /etc/init.d/mountall.sh, to symlink /etc/hotplug/run to /var/run/hotplug. or /etc/hotplug/state to /var/state/hotplug. whichever people who have more experience of FHS than i deem to be more appropriate. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Bug#258725: Location of net.agent 2004-07-12 8:33 ` Bug#258725: Location of net.agent Luke Kenneth Casson Leighton @ 2004-07-12 11:16 ` Russell Coker 2004-07-12 19:44 ` Luke Kenneth Casson Leighton 0 siblings, 1 reply; 3+ messages in thread From: Russell Coker @ 2004-07-12 11:16 UTC (permalink / raw) To: Luke Kenneth Casson Leighton Cc: Thomas Hood, 258725, Alexander E. Patrakov, SE-Linux On Mon, 12 Jul 2004 18:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote: > by recommending a subdirectory, it is possible to do the > selinux-equivalent of setgid, such that any file in that > subdirectory will be made writeable to the hotplug scripts. There are two advantages of a subdirectory for writable files, one is that we don't have to keep changing the file_contexts file every time a change is made to hotplug, the other is that on systems with a read-only root only one sym-link is needed to get those files written to a writable file system. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Bug#258725: Location of net.agent 2004-07-12 11:16 ` Russell Coker @ 2004-07-12 19:44 ` Luke Kenneth Casson Leighton 0 siblings, 0 replies; 3+ messages in thread From: Luke Kenneth Casson Leighton @ 2004-07-12 19:44 UTC (permalink / raw) To: Russell Coker; +Cc: Thomas Hood, 258725, Alexander E. Patrakov, SE-Linux i been thinking a bit more. perhaps there should be a debian installer-option which specifies the directory for state information: it should be a high-priority option and should end up placing the writeable-directory-location into /etc/default/hotplug under some appropriate variable, e.g. STATE_DIRECTORY. then, wherever hotplug refers to /etc/hotplug to write files, place $(STATE_DIRECTORY) in front of it, which is read from /etc/default/hotplug. the information presented to the person doing the installation should be something like this: "Please type in [select?] a directory location for hotplug to put its state information. Bear in mind that the directory must be writeable very early in start-up time, so if you select /var/run/hotplug, for example, and /var is NFS mounted, the directory may not yet be accessible. If you are running a really weird non-standard system (NFS mounted, lots of partitions, an SE/Linux system with read-only access to /etc, you may wish to use /devfs/shm/tmp. If you do not know what this is all talking about, just press <return> to select /etc/hotplug/run as the default" this will at least allow people to install systems that will work in almost all cases. l. On Mon, 12 Jul 2004 18:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote: > by recommending a subdirectory, it is possible to do the > selinux-equivalent of setgid, such that any file in that > subdirectory will be made writeable to the hotplug scripts. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-07-12 19:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20040711145538.GA15954@wonderland.linux.it>
[not found] ` <1089615747.2520.213.camel@localhost.localdomain>
2004-07-12 8:33 ` Bug#258725: Location of net.agent Luke Kenneth Casson Leighton
2004-07-12 11:16 ` Russell Coker
2004-07-12 19:44 ` Luke Kenneth Casson Leighton
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.