Re: Bug#258725: Location of net.agent

Re: Bug#258725: Location of net.agent

[Luke Kenneth Casson Leighton]

On Mon, Jul 12, 2004 at 09:02:27AM +0200, Thomas Hood wrote:

> The reason for using net.agent is precisely to delay the processing
> of hotplug network-interface events until such time as the system is
> ready to bring up network interfaces.

 ah ha :)

> We don't want to switch off the hotplug system prior to this because
> then we would miss the events.

 switch off?

 surely you mean switch on?

> Is it really the case that it would be preferable, for SELinux reasons,
> to put net.agent into a subdirectory of /etc/hotplug/ ?

 the alternative is to make a special case for every single
 file that could possibly, now and in the future, write into
 the directory /etc/hotplug.  as you might imagine, that gets
 quite messy quite quickly.

 by recommending a subdirectory, it is possible to do the
 selinux-equivalent of setgid, such that any file in that
 subdirectory will be made writeable to the hotplug scripts.

 (and incidentally, not by anything else _other_ than the hotplug
  scripts, but that's another story)

 it would also then be possible for distributions that guarantee
 the existence of /var on a local filesystem that will have
 been mounted by /etc/init.d/mountall.sh, to symlink /etc/hotplug/run
 to /var/run/hotplug.

 or /etc/hotplug/state to /var/state/hotplug.

 whichever people who have more experience of FHS than i deem to be
 more appropriate.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug#258725: Location of net.agent

[Russell Coker]

On Mon, 12 Jul 2004 18:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
>  by recommending a subdirectory, it is possible to do the
>  selinux-equivalent of setgid, such that any file in that
>  subdirectory will be made writeable to the hotplug scripts.

There are two advantages of a subdirectory for writable files, one is that we 
don't have to keep changing the file_contexts file every time a change is 
made to hotplug, the other is that on systems with a read-only root only one 
sym-link is needed to get those files written to a writable file system.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug#258725: Location of net.agent

[Luke Kenneth Casson Leighton]

i been thinking a bit more.

perhaps there should be a debian installer-option which specifies the
directory for state information: it should be a high-priority option
and should end up placing the writeable-directory-location into
/etc/default/hotplug under some appropriate variable, e.g.
STATE_DIRECTORY.

then, wherever hotplug refers to /etc/hotplug to write files, place
$(STATE_DIRECTORY) in front of it, which is read from
/etc/default/hotplug.

the information presented to the person doing the installation should
be something like this:

	"Please type in [select?] a directory location for hotplug to
	 put its state information.

	Bear in mind that the directory must be writeable very early in
	start-up time, so if you select /var/run/hotplug, for example,
	and /var is NFS mounted, the directory may not yet be accessible.

	If you are running a really weird non-standard system (NFS mounted,
	lots of partitions, an SE/Linux system with read-only access to /etc,
	you may wish to use /devfs/shm/tmp.

	If you do not know what this is all talking about, just press
	<return> to select /etc/hotplug/run as the default"

this will at least allow people to install systems that will work in
almost all cases.

l.

On Mon, 12 Jul 2004 18:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
>  by recommending a subdirectory, it is possible to do the
>  selinux-equivalent of setgid, such that any file in that
>  subdirectory will be made writeable to the hotplug scripts.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.