From lkcl at lkcl.net Fri Jun 5 08:31:50 2015 Content-Type: multipart/mixed; boundary="===============3501199053897715801==" MIME-Version: 1.0 From: Luke Kenneth Casson Leighton To: selinux at lists.fedoraproject.org Subject: Re: Fedora and udev Date: Tue, 24 Aug 2004 10:28:53 +0100 Message-ID: <20040824092853.GD25356@lkcl.net> In-Reply-To: 412A74A6.9070206@tresys.com --===============3501199053897715801== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Mon, Aug 23, 2004 at 06:50:14PM -0400, Joshua Brindle wrote: > Greg KH wrote: > = > >Please fix that patch up to: > > - not have any ifdef in the .c files > > - use the proper coding style > > - use the same convention as the other build flags have. > > > >Actually, what was wrong with the older selinux support in udev that was > >there? Why not just dig that stuff up and see if it works or not (I bet > >it does...) If so, I'll be glad to add it back in, it's just that too > >many people complained about it when it was in there... > > = > > > Who complained and why? When selinux support wasn't built in the = > functions were just stubs, how could that have possibly had any effect = > whatsoever on anyone else? there was a bugreport on debian.org complaining about the d-bus support which took ONE SECOND per inode created (most probably due to poor design of d-bus, e.g. not having a prefork'd server like apache does) due to the multi-exe design of udev (udevd, udev, udevsend) it is quite difficult to maintain persistent network or socket connections such that both d-bus and libselinux1 "cacheing" can be taken advantage of. [libselinux1 does cacheing of file context lookups - this can only be taken advantage of IF you use a single process, of course - and udevsend is only given ONE device name to create, and then it exits] consequently, d-bus support was ripped out and disabled. and it looks like the selinux support, which wasn't very good anyway, was also removed and turned into a script that ran "restorecon" post-inode creation, see /etc/udev.d/default/selinux. > If you could, please paste a patch from the older version so that we can = > see here whether it should work right (it's possible that the libselinux = > api changed between then and now) = udev-0.024 was the last version containing selinux support, i had to track it down. iirc: = 1) it used setfilecon() not setfscreatecon(). 2) it ONLY set the permissions on the inode NOT on any symlinks and NOT on any directories or subdirectories created. the patch i created is at least an attempt to GetThingsWorking(tm). if time REALLY IS a major concern: what _should_ be done is that udev (or udevd) should be patched to popen("setfiles -q -s", "w") and then when each device inode is created (and a udevsend is exec'd to do it), the filename of the device inode is ALSO sent down the pipe to setfiles. i say should, what i mean is, this is the most non-nasty solution with the tools and options presently available. if the file_contexts stuff was somehow pre-munged and transferred into kernel, and the regexp matching code (or something similar) was _also_ transferred into the kernel, then this problem would go away. l. -- = -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- lkcl.net
lkcl(a)lkcl.net
--===============3501199053897715801==--