Re: selinux vs devtmpfs (vs udev)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <stephen.smalley@gmail.com>
Cc: Eric Paris <eparis@redhat.com>,
	Kay Sievers <kay.sievers@vrfy.org>,
	Harald Hoyer <harald@redhat.com>,
	linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
	greg@kroah.com, sds@tycho.nsa.gov
Subject: Re: selinux vs devtmpfs (vs udev)
Date: Wed, 01 Sep 2010 15:44:03 -0400	[thread overview]
Message-ID: <4C7EAD03.2010005@redhat.com> (raw)
In-Reply-To: <AANLkTiktz6bc6Ue9OKZ0ejSqf7GH4z50JeUvidxHbrSw@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/01/2010 12:08 PM, Stephen Smalley wrote:
> On Tue, Aug 31, 2010 at 4:51 PM, Eric Paris <eparis@redhat.com> wrote:
>> On Tue, 2010-08-31 at 21:32 +0200, Kay Sievers wrote:
>>> On Tue, Aug 31, 2010 at 17:49, Harald Hoyer <harald@redhat.com> wrote:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=575128#c14
>>>> https://bugzilla.redhat.com/attachment.cgi?id=442223&format=raw
>>>>
>>>> udev/udev-node.c
>>>>
>>>> +                       /* set selinux file context on add events */
>>>> +                       if (strcmp(udev_device_get_action(dev), "add") == 0)
>>>> +                               udev_selinux_lsetfilecon(udev, file, mode);
>>>
>>> I can't access these bugs.
>>>
>>> Does that makes sense/work for you?
>>>   http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=326c5fc3ea684825629eccaf33a548759162a539
>>>
>>> Kay
>>
>> I ask Harald (but he wasn't around and I don't know the answer) if it is
>> a problem that this changes the behavior of non "add" events.
>> Previously a non "add" event with an incorrect mask/uid/gid would have
>> reset the SELinux context but now it will not.  It fixes the issue at
>> hand, my boxes boot with everything labeled nicely, but I'm not sure if
>> there is some other corner case that expected the old behavior with
>> change events....
> 
> Maybe we should back up and ask the udev folks how they think libvirt
> labeling should be done so as to not conflict with udev labeling, e.g.
> should libvirt be going through udev to assign the labels.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
Well I guess I would not want someone chcon a device and then udev
fixing the label.  Especially on MLS machines.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx+rQMACgkQrlYvE4MpobPAkQCgt93hFUhnv9wJONN+VN62L5c5
KzYAoKbijORf9iDwDazubFJOmAux/8wY
=BbqG
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2010-09-01 19:44 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-27 23:00 selinux vs devtmpfs (vs udev) Eric Paris
2010-08-28  9:57 ` Kay Sievers
2010-08-30 23:14   ` Eric Paris
2010-08-31  8:44     ` Harald Hoyer
2010-08-31 14:11       ` Daniel J Walsh
2010-08-31 14:39         ` Harald Hoyer
2010-08-31 14:56           ` Daniel J Walsh
2010-08-31 14:57           ` Daniel J Walsh
2010-08-31 15:16             ` Eric Paris
2010-08-31 15:22               ` Daniel J Walsh
2010-08-31 15:26                 ` Eric Paris
2010-08-31 15:49                   ` Harald Hoyer
2010-08-31 19:32                     ` Kay Sievers
2010-08-31 19:37                       ` Daniel J Walsh
2010-08-31 20:51                       ` Eric Paris
2010-09-01 16:08                         ` Stephen Smalley
2010-09-01 17:59                           ` Kay Sievers
2010-09-01 19:44                           ` Daniel J Walsh [this message]
2010-08-31 21:55                       ` Harald Hoyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C7EAD03.2010005@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=eparis@redhat.com \
    --cc=greg@kroah.com \
    --cc=harald@redhat.com \
    --cc=kay.sievers@vrfy.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=stephen.smalley@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox