On Tue, 24 Aug 2004 19:28, Luke Kenneth Casson Leighton <lkcl@xxxxxxxx> wrote:
> 2) it ONLY set the permissions on the inode NOT on any symlinks and NOT
> on any directories or subdirectories created.
This part is OK. We have moved to using device_t (the default) as the context
for all directories and sym-links under /dev.
> what _should_ be done is that udev (or udevd) should be patched to
> popen("setfiles -q -s", "w") and then when each device inode is
> created (and a udevsend is exec'd to do it), the filename of the
> device inode is ALSO sent down the pipe to setfiles.
>
> i say should, what i mean is, this is the most non-nasty solution
> with the tools and options presently available.
Sounds good to me.
> if the file_contexts stuff was somehow pre-munged and
> transferred into kernel, and the regexp matching code (or
> something similar) was _also_ transferred into the kernel,
> then this problem would go away.
I think it's already been decided not to do that.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
