* [sds@epoch.ncsc.mil: Re: temporary hack to use udev in selinux]
@ 2004-07-29 14:38 Luke Kenneth Casson Leighton
0 siblings, 0 replies; only message in thread
From: Luke Kenneth Casson Leighton @ 2004-07-29 14:38 UTC (permalink / raw)
To: linux-hotplug
i believe that the use of the udev_selinux stuff was there to
make the node creation have the correct permissions at create
time.
this would at least avoid _one_ race condition.
l.
----- Forwarded message from Stephen Smalley <sds@epoch.ncsc.mil> -----
Envelope-to: lkcl@localhost
Delivery-date: Thu, 29 Jul 2004 14:33:18 +0100
X-Sieve: CMU Sieve 2.2
Subject: Re: temporary hack to use udev in selinux
From: Stephen Smalley <sds@epoch.ncsc.mil>
To: Joshua Brindle <method@gentoo.org>
Cc: Luke Kenneth Casson Leighton <lkcl@lkcl.net>,
SE-Linux <selinux@tycho.nsa.gov>, James Morris <jmorris@redhat.com>,
Daniel J Walsh <dwalsh@redhat.com>
Organization: National Security Agency
X-Virus-Scanned: by amavisd-new-20030616-p7 (Debian) at hands.com
On Wed, 2004-07-28 at 20:29, Joshua Brindle wrote:
> Chris PeBenito made this patch for Gentoo when we were evalutating udev
> on selinux
>
> http://dev.gentoo.org/~method/1330_linux-2.6.5-ramfs-xattr.patch
Why wasn't this submitted upstream? ramfs xattr support (and likewise
for other pseudo fs's like tmpfs) has been on our todo list for some
time.
> that should patch cleanly into 2.6.7, but I'd like to note that at this
> point udev is braindead wrt SELinux.
> Once upon a time udev had selinux support integrated so that setfscreate
> was called to set the context of the devices being written however it
> was changed at some point to make SELinux an after device creation addon
> script which makes it label the devices after they are created. Because
> of this Hardened Gentoo has decided not to support udev at this time.
I haven't tried udev myself, but I think Dan has used it successfully
with SELinux. I'd agree that having udev directly call matchpathcon()
and then setfscreatecon() prior to node creation would be preferable,
but I'm not sure that it is strictly necessary - as long as the default
creation type is suitably restrictive and nothing tries to access it
prior to the restorecon.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
----- End forwarded message -----
--
--
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id\x10040&op=click
_______________________________________________
Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-07-29 14:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-29 14:38 [sds@epoch.ncsc.mil: Re: temporary hack to use udev in selinux] Luke Kenneth Casson Leighton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).