/dev entries which also need to be /.?u?dev'd

/dev entries which also need to be /.?u?dev'd

[Luke Kenneth Casson Leighton]

the following entries presently marked as /dev need, imo, to also
be modified to be ":%s/\/dev/\/.?u?dev/g" [in vi].

the reason is as i explained that if someone using udev [with or
without tmpfs] does a

	setfiles /etc/selinux/src/file_contexts/file_contexsts /.dev

then they are buggered, without the above.

for example, /.dev/initctl will suddenly end up with a default_t
type such that bootup will fail!

also /dev/.udev.tdb was set to default_t as well which could
have caused problems.

it's all gone pear-shaped, gloop, gloop.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: /dev entries which also need to be /.?u?dev'd

[Luke Kenneth Casson Leighton]

[-- Attachment #1: Type: text/plain, Size: 753 bytes --]

duh.  having gone to the trouble of producing the list, _let's_ attach
it, shall we?

 :)

 l.

On Tue, Aug 31, 2004 at 11:16:02AM +0100, Luke Kenneth Casson Leighton wrote:
> the following entries presently marked as /dev need, imo, to also
> be modified to be ":%s/\/dev/\/.?u?dev/g" [in vi].
> 
> the reason is as i explained that if someone using udev [with or
> without tmpfs] does a
> 
> 	setfiles /etc/selinux/src/file_contexts/file_contexsts /.dev
> 
> then they are buggered, without the above.
> 
> for example, /.dev/initctl will suddenly end up with a default_t
> type such that bootup will fail!
> 
> also /dev/.udev.tdb was set to default_t as well which could
> have caused problems.
> 
> it's all gone pear-shaped, gloop, gloop.
> 
> l.

[-- Attachment #2: f --]
[-- Type: text/plain, Size: 1576 bytes --]

program/gpm.fc:/dev/gpmctl		-s	system_u:object_r:gpmctl_t
program/gpm.fc:/dev/gpmdata		-p	system_u:object_r:gpmctl_t
program/init.fc:/dev/initctl		-p	system_u:object_r:initctl_t
program/lpd.fc:/dev/printer		-s	system_u:object_r:printer_t
program/lpd.fc:/dev/lp.*		-c	system_u:object_r:printer_device_t
program/lpd.fc:/dev/par.*		-c	system_u:object_r:printer_device_t
program/lpd.fc:/dev/usb/lp.*		-c	system_u:object_r:printer_device_t
program/lpd.fc:/dev/usblp.*		-c	system_u:object_r:printer_device_t
program/lvm.fc:/dev/lvm		-c	system_u:object_r:fixed_disk_device_t
program/lvm.fc:/dev/mapper/.*		-b	system_u:object_r:fixed_disk_device_t
program/lvm.fc:/dev/mapper/control	-c	system_u:object_r:lvm_control_t
program/pppd.fc:/dev/ppp		-c	system_u:object_r:ppp_device_t
program/pppd.fc:/dev/pppox.*		-c	system_u:object_r:ppp_device_t
program/pppd.fc:/dev/ippp.*		-c	system_u:object_r:ppp_device_t
program/syslogd.fc:/dev/log		-s	system_u:object_r:devlog_t
program/udev.fc:/dev/udev.tbl	--	system_u:object_r:udev_tbl_t
program/udev.fc:/dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
program/vmware.fc:/dev/vmmon		-c	system_u:object_r:vmware_device_t
program/vmware.fc:/dev/vmnet.*		-c	system_u:object_r:vmware_device_t
program/vmware.fc:/dev/plex86		-c	system_u:object_r:vmware_device_t
program/watchdog.fc:/dev/watchdog		-c	system_u:object_r:watchdog_device_t
program/xserver.fc:/dev/agpgart		-c	system_u:object_r:agp_device_t
program/xserver.fc:/dev/dri/.*		-c	system_u:object_r:dri_device_t
program/xserver.fc:/dev/nvidia.*        		system_u:object_r:xserver_misc_device_t

Re: /dev entries which also need to be /.?u?dev'd

[Russell Coker]

On Tue, 31 Aug 2004 20:16, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> the following entries presently marked as /dev need, imo, to also
> be modified to be ":%s/\/dev/\/.?u?dev/g" [in vi].
>
> the reason is as i explained that if someone using udev [with or
> without tmpfs] does a
>
>  setfiles /etc/selinux/src/file_contexts/file_contexsts /.dev
>
> then they are buggered, without the above.

What if a rule such as the following was added at the end?
/\.dev(/.*)? <<none>>

That will work for the short-term.  Long term I think that the correct thing 
to do is to work on the stem-compression code in setfiles and have multiple 
prefixes for the /dev stuff.  However this requires either adding special 
case code to setfiles or adding more configuration information to the config 
file (syntax additions).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: /dev entries which also need to be /.?u?dev'd

[Luke Kenneth Casson Leighton]

On Thu, Sep 02, 2004 at 05:11:59PM +1000, Russell Coker wrote:
> On Tue, 31 Aug 2004 20:16, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > the following entries presently marked as /dev need, imo, to also
> > be modified to be ":%s/\/dev/\/.?u?dev/g" [in vi].
> >
> > the reason is as i explained that if someone using udev [with or
> > without tmpfs] does a
> >
> >  setfiles /etc/selinux/src/file_contexts/file_contexsts /.dev
> >
> > then they are buggered, without the above.
> 
> What if a rule such as the following was added at the end?
> /\.dev(/.*)? <<none>>
 
 as i understand it, that would result in /.dev and its contents
 from _not_ being affected by setfiles - neither setting nor
 unsetting any existing file contexts.

 that would mean that if the files in /.dev accidentally lost
 their file contexts [e.g. if you remember, 3 months ago i
 regularly had fsck.ext2 complain about extended attributes
 and _delete_ them in order to "fix" the problem]

 or if someone re-ran MAKEDEV in /.dev

 that they would still be unable to boot unless they remembered
 to manually set up a file context on each node.

 l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.