Re: Fedora and udev

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Mon, Aug 23, 2004 at 06:50:14PM -0400, Joshua Brindle wrote:

> Greg KH wrote:
> 
> >Please fix that patch up to:
> >	- not have any ifdef in the .c files
> >	- use the proper coding style
> >	- use the same convention as the other build flags have.
> >
> >Actually, what was wrong with the older selinux support in udev that was
> >there?  Why not just dig that stuff up and see if it works or not (I bet
> >it does...)  If so, I'll be glad to add it back in, it's just that too
> >many people complained about it when it was in there...
> > 
> >
> Who complained and why? When selinux support wasn't built in the 
> functions were just stubs, how could that have possibly had any effect 
> whatsoever on anyone else?

 there was a bugreport on debian.org complaining about the d-bus support
 which took ONE SECOND per inode created (most probably due to poor
 design of d-bus, e.g. not having a prefork'd server like apache does)

 due to the multi-exe design of udev (udevd, udev, udevsend) it is quite
 difficult to maintain persistent network or socket connections such
 that both d-bus and libselinux1 "cacheing" can be taken advantage of.

 [libselinux1 does cacheing of file context lookups - this can only
  be taken advantage of IF you use a single process, of course - and
  udevsend is only given ONE device name to create, and then it exits]

 consequently, d-bus support was ripped out and disabled.

 and it looks like the selinux support, which wasn't very good anyway,
 was also removed and turned into a script that ran "restorecon"
 post-inode creation, see /etc/udev.d/default/selinux.


> If you could, please paste a patch from the older version so that we can 
> see here whether it should work right (it's possible that the libselinux 
> api changed between then and now)
 
 udev-0.024 was the last version containing selinux support, i had to
 track it down.

 iirc:
 
 1) it used setfilecon() not setfscreatecon().

 2) it ONLY set the permissions on the inode NOT on any symlinks and NOT
    on any directories or subdirectories created.


 the patch i created is at least an attempt to GetThingsWorking(tm).

 if time REALLY IS a major concern:

 what _should_ be done is that udev (or udevd) should be patched to
 popen("setfiles -q -s", "w") and then when each device inode is
 created (and a udevsend is exec'd to do it), the filename of the
 device inode is ALSO sent down the pipe to setfiles.

 i say should, what i mean is, this is the most non-nasty solution
 with the tools and options presently available.

 if the file_contexts stuff was somehow pre-munged and
 transferred into kernel, and the regexp matching code (or
 something similar) was _also_ transferred into the kernel,
 then this problem would go away.

 l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.