On Tue, Aug 31, 2004 at 10:49:08AM +0100, Luke Kenneth Casson Leighton wrote:
> Seeing as my initial /dev is on a persistent
> filesystem i don't have a problem with pre-udev stuff running.
well.... you shouldn't... until you reinitialise or somehow delete,
upgrade or otherwise modify the "old" /dev [which you will find is
remounted --rbind to /.dev].
try it: do setfiles /etc/selinux/src/file_contexts/file_contexts /.dev
and then reboot [in permissive mode!!!]
due to the present files/types.fc, you will find that the entire
/.dev gets relabelled to something completely useless: root_t
or default_t. i think it's default_t.
consequently your next reboot in enforcing mode will fail because
/sbin/init tries to access /dev/null and /dev/initctl etc. as
default_t ... and it can't.
should you choose to deal with this, replace /u?dev with /[\.u]dev or
some suitable regexp that i haven't a clue how to write so i just
did /.?u?dev and that did the trick.
it's insufficient to add /.?u?dev to just file_contexts/types.fc
you also have to search in file_contexts/program/* for /dev
and set the right context there, too.
there is i believe a bug at present in
e.g. file_contexts/program/init.fc because it only covers
/dev/initctl not /udev/initctl and not /.dev/initctl.
i think this one is the only one that's really really critical
[except on redhat of course where they all should be /u?dev]
because if /.dev/initctl gets set to default_t, you're stuffed
at next boot.
l.