refpolicy HEAD, Debian, patch for udev.te

refpolicy HEAD, Debian, patch for udev.te

[Václav Ovsík]

[-- Attachment #1: Type: text/plain, Size: 706 bytes --]

Hi,
Debian Etch, refpolicy HEAD, udev produces during startup (udevsettle)
wile creating symlinks into /dev/disk/by-uuid/...
following:

audit(1195744042.060:3): avc:  denied  { relabelfrom } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
audit(1195744042.060:4): avc:  denied  { relabelto } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file

Attached patch solves this.
Can be merged into refpolicy please?
-- 
Zito

[-- Attachment #2: udev.te.debian.patch --]
[-- Type: text/x-diff, Size: 464 bytes --]

Index: policy/modules/system/udev.te
===================================================================
--- policy/modules/system/udev.te	(revision 2530)
+++ policy/modules/system/udev.te	(working copy)
@@ -96,6 +96,7 @@
 dev_delete_generic_files(udev_t)
 dev_search_usbfs(udev_t)
 dev_relabel_all_dev_nodes(udev_t)
+dev_relabel_generic_symlinks(udev_t)
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 

Re: refpolicy HEAD, Debian, patch for udev.te

[Christopher J. PeBenito]

On Mon, 2007-11-26 at 15:45 +0100, Václav Ovsík wrote:
> Hi,
> Debian Etch, refpolicy HEAD, udev produces during startup (udevsettle)
> wile creating symlinks into /dev/disk/by-uuid/...
> following:
> 
> audit(1195744042.060:3): avc:  denied  { relabelfrom } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
> audit(1195744042.060:4): avc:  denied  { relabelto } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
> 
> Attached patch solves this.
> Can be merged into refpolicy please?

This is interesting, it isn't seen on other distros.  Perhaps it has to
do with the way debian sets up tmpfs /dev before udev starts?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy HEAD, Debian, patch for udev.te

[Martin Orr]

[-- Attachment #1: Type: text/plain, Size: 1682 bytes --]

On 27/11/07 18:49, Christopher J. PeBenito wrote:
> On Mon, 2007-11-26 at 15:45 +0100, Václav Ovsík wrote:
>> Hi,
>> Debian Etch, refpolicy HEAD, udev produces during startup (udevsettle)
>> wile creating symlinks into /dev/disk/by-uuid/...
>> following:
>>
>> audit(1195744042.060:3): avc:  denied  { relabelfrom } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
>> audit(1195744042.060:4): avc:  denied  { relabelto } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
>>
>> Attached patch solves this.
>> Can be merged into refpolicy please?
> 
> This is interesting, it isn't seen on other distros.  Perhaps it has to
> do with the way debian sets up tmpfs /dev before udev starts?

I get similar messages: note that the contexts being relabelled from and to
are the same.

I had a look, and the symlinks are created by udev running in the initramfs,
then the tmpfs /dev is mount --moved into the main root.  No labelling is
done yet because no policy has been loaded.  Then when the main udev starts
up it replays the coldplug events.  When it comes to create the symlink
again, it notices that it is already there and calls lsetfilecon.

Should udev or libselinux be checking whether it will be relabelling files
to their existing label?  And indeed, it's not clear to me why udev should
be calling lsetfilecon on existing symlinks at all.

-- 
Martin Orr


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: refpolicy HEAD, Debian, patch for udev.te

[Václav Ovsík]

On Thu, Nov 29, 2007 at 08:06:44PM +0000, Martin Orr wrote:
> On 27/11/07 18:49, Christopher J. PeBenito wrote:
> > On Mon, 2007-11-26 at 15:45 +0100, Václav Ovsík wrote:
> >> Hi,
> >> Debian Etch, refpolicy HEAD, udev produces during startup (udevsettle)
> >> wile creating symlinks into /dev/disk/by-uuid/...
> >> following:
> >>
> >> audit(1195744042.060:3): avc:  denied  { relabelfrom } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
> >> audit(1195744042.060:4): avc:  denied  { relabelto } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
> >>
> >> Attached patch solves this.
> >> Can be merged into refpolicy please?
> > 
> > This is interesting, it isn't seen on other distros.  Perhaps it has to
> > do with the way debian sets up tmpfs /dev before udev starts?
> 
> I get similar messages: note that the contexts being relabelled from and to
> are the same.
> 
> I had a look, and the symlinks are created by udev running in the initramfs,
> then the tmpfs /dev is mount --moved into the main root.  No labelling is
> done yet because no policy has been loaded.  Then when the main udev starts
> up it replays the coldplug events.  When it comes to create the symlink
> again, it notices that it is already there and calls lsetfilecon.

Hmm, you hit the nail on its head :)

> Should udev or libselinux be checking whether it will be relabelling files
> to their existing label?  And indeed, it's not clear to me why udev should
> be calling lsetfilecon on existing symlinks at all.
> 
> -- 
> Martin Orr

I tried to execute udevd with --verbose in startup script and this is
the result:

    [840] udev_db_get_device: no db file to read /dev/.udev/db/\x2fdevices\x2fxen\x2fvbd-2049: No such file or directory
    [840] run_program: 'vol_id --export /dev/.tmp-8-1'
...
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_USAGE=filesystem'
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_TYPE=ext3'
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_VERSION=1.0'
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_UUID=0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_UUID_ENC=0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_LABEL='
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_LABEL_ENC='
    [840] run_program: '/lib/udev/vol_id' (stdout) 'ID_FS_LABEL_SAFE='
    [840] run_program: '/lib/udev/vol_id' returned with status 0
    [840] udev_rules_get_name: add symlink 'disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] udev_rules_get_name: no node name set, will use kernel name ''
    [840] udev_device_event: device '/block/sda1' already in database, cleanup
    [840] name_index: removing index: '/dev/.udev/names/sda1/\x2fblock\x2fsda1'
    [840] name_index: removing index: '/dev/.udev/names/disk\x2fby-uuid\x2f0fb8bc6a-db49-4a7e-a030-268373a933d9/\x2fblock\x2fsda1'
    [840] udev_node_add: creating device node '/dev/sda1', major=8, minor=1, mode=0660, uid=0, gid=6
    [840] udev_node_mknod: preserve file '/dev/sda1', because it has correct dev_t
    [840] name_index: creating index: '/dev/.udev/names/disk\x2fby-uuid\x2f0fb8bc6a-db49-4a7e-a030-268373a933d9/\x2fblock\x2fsda1'
    [840] name_index: creating index: '/dev/.udev/names/sda1/\x2fblock\x2fsda1'
    [840] udev_node_update_symlinks: update symlink 'disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9' of '/block/sda1'
    [840] udev_db_get_devices_by_name: found index directory '/dev/.udev/names/disk\x2fby-uuid\x2f0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] update_link: found 1 devices with name 'disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] update_link: found '/block/sda1' for 'disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] update_link: compare (our own) priority of '/block/sda1' 0 >= 0
    [840] update_link: 'disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9' with target 'sda1' has the highest priority 0, create it
    [840] node_symlink: found existing symlink '/dev/disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9'
    [840] node_symlink: preserve already existing symlink '/dev/disk/by-uuid/0fb8bc6a-db49-4a7e-a030-268373a933d9' to '../../sda1'
    audit(1196406913.936:3): avc:  denied  { relabelfrom } for  pid=840 comm="udevd" name="0fb8bc6a-db49-4a7e-a030-268373a933d9" dev=tmpfs ino=2009 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=syst
    em_u:object_r:device_t:s0 tclass=lnk_file
    ^Maudit(1196406913.936:4): avc:  denied  { relabelto } for  pid=840 comm="udevd" name="0fb8bc6a-db49-4a7e-a030-268373a933d9" dev=tmpfs ino=2009 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=syst
    em_u:object_r:device_t:s0 tclass=lnk_file
    ^M[840] pass_env_to_socket: passed -1 bytes to socket '/org/kernel/udev/monitor', 
    [840] udev_event_run: seq 355 finished with 0
...

Corresponding code is in udev_node.c, function node_symlink().

...
    if (strcmp(target, buf) == 0) {
	    info("preserve already existing symlink '%s' to '%s'", slink, target);
	    selinux_setfilecon(slink, NULL, S_IFLNK);
	    goto exit;
    }
...

Regards
-- 
Zito


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy HEAD, Debian, patch for udev.te

[Christopher J. PeBenito]

On Fri, 2007-11-30 at 14:49 +0100, Václav Ovsík wrote:
> On Thu, Nov 29, 2007 at 08:06:44PM +0000, Martin Orr wrote:
> > On 27/11/07 18:49, Christopher J. PeBenito wrote:
> > > On Mon, 2007-11-26 at 15:45 +0100, Václav Ovsík wrote:
> > >> Hi,
> > >> Debian Etch, refpolicy HEAD, udev produces during startup (udevsettle)
> > >> wile creating symlinks into /dev/disk/by-uuid/...
> > >> following:
> > >>
> > >> audit(1195744042.060:3): avc:  denied  { relabelfrom } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
> > >> audit(1195744042.060:4): avc:  denied  { relabelto } for  pid=836 comm="udevd" name="44517f56-2445-4330-bce7-5168aa534c1c" dev=tmpfs ino=1646 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file
> > >>
> > >> Attached patch solves this.
> > >> Can be merged into refpolicy please?
> > > 
> > > This is interesting, it isn't seen on other distros.  Perhaps it has to
> > > do with the way debian sets up tmpfs /dev before udev starts?
> > 
> > I get similar messages: note that the contexts being relabelled from and to
> > are the same.
> > 
> > I had a look, and the symlinks are created by udev running in the initramfs,
> > then the tmpfs /dev is mount --moved into the main root.  No labelling is
> > done yet because no policy has been loaded.  Then when the main udev starts
> > up it replays the coldplug events.  When it comes to create the symlink
> > again, it notices that it is already there and calls lsetfilecon.
> 
> Hmm, you hit the nail on its head :)

I thought that was the case, I was just surprised that it wasn't
short-circuited.  What is odd is that it makes the check for equality,
but then does the setfilecon anyway:

> Corresponding code is in udev_node.c, function node_symlink().

>     if (strcmp(target, buf) == 0) {
> 	    info("preserve already existing symlink '%s' to '%s'", slink,
> target);
> 	    selinux_setfilecon(slink, NULL, S_IFLNK);
> 	    goto exit;
>     }

I'll add the rule.  Perhaps someone should send up a patch to remove the
setfilecon, and update the info message.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy HEAD, Debian, patch for udev.te

[Václav Ovsík]

On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
> ...
> I thought that was the case, I was just surprised that it wasn't
> short-circuited.  What is odd is that it makes the check for equality,
> but then does the setfilecon anyway:

Udev startup script /etc/init.d/udev does on several places restorecon
and /sbin/restorecon -R /dev before starting udevd. Symlinks
already have right context so.
If there will be for some reason no symlink, udevd should probably
create one and relabel it. Right?

> 
> > Corresponding code is in udev_node.c, function node_symlink().
> 
> >     if (strcmp(target, buf) == 0) {
> > 	    info("preserve already existing symlink '%s' to '%s'", slink,
> > target);
> > 	    selinux_setfilecon(slink, NULL, S_IFLNK);
> > 	    goto exit;
> >     }
> 
> I'll add the rule.  Perhaps someone should send up a patch to remove the
> setfilecon, and update the info message.

Mean you to compare the context of symlink and no setfilecon if it is
ok?
-- 
Zito

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy HEAD, Debian, patch for udev.te

[Christopher J. PeBenito]

On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
> > ...
> > I thought that was the case, I was just surprised that it wasn't
> > short-circuited.  What is odd is that it makes the check for equality,
> > but then does the setfilecon anyway:
> 
> Udev startup script /etc/init.d/udev does on several places restorecon
> and /sbin/restorecon -R /dev before starting udevd. Symlinks
> already have right context so.
> If there will be for some reason no symlink, udevd should probably
> create one and relabel it. Right?

I thought thats what it did.

> > > Corresponding code is in udev_node.c, function node_symlink().
> > 
> > >     if (strcmp(target, buf) == 0) {
> > > 	    info("preserve already existing symlink '%s' to '%s'", slink,
> > > target);
> > > 	    selinux_setfilecon(slink, NULL, S_IFLNK);
> > > 	    goto exit;
> > >     }
> > 
> > I'll add the rule.  Perhaps someone should send up a patch to remove the
> > setfilecon, and update the info message.
> 
> Mean you to compare the context of symlink and no setfilecon if it is
> ok?

Yes.  Unless there's a good reason to keep it as-is that I don't know
about.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy HEAD, Debian, patch for udev.te

[Martin Orr]

[-- Attachment #1: Type: text/plain, Size: 1339 bytes --]

On 30/11/07 15:55, Christopher J. PeBenito wrote:
> On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
>> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
>>>> Corresponding code is in udev_node.c, function node_symlink().
>>>>     if (strcmp(target, buf) == 0) {
>>>> 	    info("preserve already existing symlink '%s' to '%s'", slink,
>>>> target);
>>>> 	    selinux_setfilecon(slink, NULL, S_IFLNK);
>>>> 	    goto exit;
>>>>     }
>>> I'll add the rule.  Perhaps someone should send up a patch to remove the
>>> setfilecon, and update the info message.
>> Mean you to compare the context of symlink and no setfilecon if it is
>> ok?
> 
> Yes.  Unless there's a good reason to keep it as-is that I don't know
> about.

Well I'll send a patch to udev.  Should it just be the below, or should udev
be relabelling symlinks if it finds that they exist but are wrongly
labelled?  How do I test for equality of security contexts?

--- a/udev_node.c
+++ b/udev_node.c
@@ -146,7 +146,6 @@ static int node_symlink(const char *node, const char *slink)
 				buf[len] = '\0';
 				if (strcmp(target, buf) == 0) {
 					info("preserve already existing symlink '%s' to '%s'", slink, target);
-					selinux_setfilecon(slink, NULL, S_IFLNK);
 					goto exit;
 				}
 			}

-- 
Martin Orr


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: refpolicy HEAD, Debian, patch for udev.te

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1887 bytes --]

On Fri, 2007-11-30 at 17:24 +0000, Martin Orr wrote:
> On 30/11/07 15:55, Christopher J. PeBenito wrote:
> > On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
> >> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
> >>>> Corresponding code is in udev_node.c, function node_symlink().
> >>>>     if (strcmp(target, buf) == 0) {
> >>>> 	    info("preserve already existing symlink '%s' to '%s'", slink,
> >>>> target);
> >>>> 	    selinux_setfilecon(slink, NULL, S_IFLNK);
> >>>> 	    goto exit;
> >>>>     }
> >>> I'll add the rule.  Perhaps someone should send up a patch to remove the
> >>> setfilecon, and update the info message.
> >> Mean you to compare the context of symlink and no setfilecon if it is
> >> ok?
> > 
> > Yes.  Unless there's a good reason to keep it as-is that I don't know
> > about.
> 
> Well I'll send a patch to udev.  Should it just be the below, or should udev
> be relabelling symlinks if it finds that they exist but are wrongly
> labelled?  How do I test for equality of security contexts?
> 
> --- a/udev_node.c
> +++ b/udev_node.c
> @@ -146,7 +146,6 @@ static int node_symlink(const char *node, const char *slink)
>  				buf[len] = '\0';
>  				if (strcmp(target, buf) == 0) {
>  					info("preserve already existing symlink '%s' to '%s'", slink, target);
> -					selinux_setfilecon(slink, NULL, S_IFLNK);
>  					goto exit;
>  				}
>  			}

Yes, thats what I was thinkin.  Since the function is node_symlink(),
I'm guessing there is a similar function for char and block node, etc?
Those should be checked to make sure they don't do unneeded relabeling
too.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: refpolicy HEAD, Debian, patch for udev.te

[Martin Orr]

[-- Attachment #1: Type: text/plain, Size: 1194 bytes --]

On 01/12/07 23:21, Chris PeBenito wrote:
> On Fri, 2007-11-30 at 17:24 +0000, Martin Orr wrote:
>> On 30/11/07 15:55, Christopher J. PeBenito wrote:
>>> On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
>>>> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
>>>>>> Corresponding code is in udev_node.c, function node_symlink().
>>>>>>     if (strcmp(target, buf) == 0) {
>>>>>> 	    info("preserve already existing symlink '%s' to '%s'", slink,
>>>>>> target);
>>>>>> 	    selinux_setfilecon(slink, NULL, S_IFLNK);
>>>>>> 	    goto exit;
>>>>>>     }
>>>>> I'll add the rule.  Perhaps someone should send up a patch to remove the
>>>>> setfilecon, and update the info message.
> Yes, thats what I was thinkin.  Since the function is node_symlink(),
> I'm guessing there is a similar function for char and block node, etc?
> Those should be checked to make sure they don't do unneeded relabeling
> too.

That's true.  And for char and block nodes, it also does a chmod to reset
the permissions.  Apparently this is intended, because "you can't expect
that the properties of a pre-existing node are correct."

Best wishes,

-- 
Martin Orr


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: refpolicy HEAD, Debian, patch for udev.te

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris PeBenito wrote:
> On Fri, 2007-11-30 at 17:24 +0000, Martin Orr wrote:
>> On 30/11/07 15:55, Christopher J. PeBenito wrote:
>>> On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
>>>> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
>>>>>> Corresponding code is in udev_node.c, function node_symlink().
>>>>>>     if (strcmp(target, buf) == 0) {
>>>>>> 	    info("preserve already existing symlink '%s' to '%s'", slink,
>>>>>> target);
>>>>>> 	    selinux_setfilecon(slink, NULL, S_IFLNK);
>>>>>> 	    goto exit;
>>>>>>     }
>>>>> I'll add the rule.  Perhaps someone should send up a patch to remove the
>>>>> setfilecon, and update the info message.
>>>> Mean you to compare the context of symlink and no setfilecon if it is
>>>> ok?
>>> Yes.  Unless there's a good reason to keep it as-is that I don't know
>>> about.
>> Well I'll send a patch to udev.  Should it just be the below, or should udev
>> be relabelling symlinks if it finds that they exist but are wrongly
>> labelled?  How do I test for equality of security contexts?
>>
>> --- a/udev_node.c
>> +++ b/udev_node.c
>> @@ -146,7 +146,6 @@ static int node_symlink(const char *node, const char *slink)
>>  				buf[len] = '\0';
>>  				if (strcmp(target, buf) == 0) {
>>  					info("preserve already existing symlink '%s' to '%s'", slink, target);
>> -					selinux_setfilecon(slink, NULL, S_IFLNK);
>>  					goto exit;
>>  				}
>>  			}
> 
> Yes, thats what I was thinkin.  Since the function is node_symlink(),
> I'm guessing there is a similar function for char and block node, etc?
> Those should be checked to make sure they don't do unneeded relabeling
> too.
> 
My patch for Fedora adds the ability for udev to relabelto relabelfrom
device_t symlinks.

Even if you fix udev, these rules should be added. since you could label
the symlink as something other than device_t.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD4DBQFHVV8krlYvE4MpobMRAtxBAJY2hqXrkH7QkzBui/M4c0pm7AOrAKCmGb0L
ILY0KxrCkluMfknbtr43UA==
=1VyK
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.