On Tue, Aug 24, 2004 at 03:18:28PM +0100, Luke Kenneth Casson Leighton wrote:
On Tue, Aug 24, 2004 at 08:06:41PM +1000, Russell Coker wrote:
> On Tue, 24 Aug 2004 19:28, Luke Kenneth Casson Leighton <lkcl(a)lkcl.net>
wrote:
> > 2) it ONLY set the permissions on the inode NOT on any symlinks and NOT
> > on any directories or subdirectories created.
>
> This part is OK. We have moved to using device_t (the default) as the context
> for all directories and sym-links under /dev.
great, then the policy modifications i've made will be of some
value in pointing you in the right direction, i'll endeavour to
clean them up, sort them out [dammit i just did that and ended
up accidentally deleting it, i _must_ try to stop the habit of
reusing filenames f g h x y and z]
i'm attaching also my modified /etc/init.d/udev file.
as you can see it calls /sbin/restoredevicefiles (sent earlier)
after the make_extra_nodes() call has been made.
well you _could_ if i attached it.
okay, also attached the most historically horrible "ItWorksForMe(tm)"
udev-device-t-patch for selinux.
note that there are some awful hacks in here such as
allow hotplug_t device_t:file { ioctl read write };
the reason for this horrible hack is because, i believe, i am
running /bin/ls from inside my horrible hack script
/sbin/restoredevicefiles.
during the setup phase, no program should endeavour to access
/dev/null.
less obvious ones are:
allow init_t device_t:fifo_file { getattr read write };
to access /dev/initctl
now, this _could_ be due to a mistake that i made, because strictly
speaking, /dev/initctl should be in /dev as in a _real_ /dev on
a _real_ ext2 persistent filesystem.
stephen's explanation about setfiles not traversing mount points
including --rbind moved mountpoints _could_ explain why i was
having the above difficulties, namely that if /.dev was not being
relabelled, then /.dev/initctl would be as the default device_t
type, such that on an initial boot (prior to /dev getting --rbind
mount moved to /dev by /etc/init.d/udev) the filecontext was
incorrect.
but, like i said earlier, i believe that setfiles was _not_ doing
a proper job of ignoring --rbind mountpoints, and consequently
a make relabel or a setfiles / resulted in /.dev _deliberately_
being set to something it should not have been set to.
which reminds me to suggest that for this reason, it might be
necessary to add /.dev to the make relabel rule in setfiles.
oh, and of course to add in /.?u?dev [or a better regexp] to every
single line in the file contexts thing.
at this point i have to confess that i am getting a little confused
because there is so much that i have just ridden slip-shod over in
the past few weeks and approximately 100 reboots in order to
get a working system: priority of time and running out of cash.
l.