On Mon, Aug 23, 2004 at 06:50:14PM -0400, Joshua Brindle wrote:
> Greg KH wrote:
>
> >Please fix that patch up to:
> > - not have any ifdef in the .c files
> > - use the proper coding style
> > - use the same convention as the other build flags have.
> >
> >Actually, what was wrong with the older selinux support in udev that was
> >there? Why not just dig that stuff up and see if it works or not (I bet
> >it does...) If so, I'll be glad to add it back in, it's just that too
> >many people complained about it when it was in there...
> >
> >
> Who complained and why? When selinux support wasn't built in the
> functions were just stubs, how could that have possibly had any effect
> whatsoever on anyone else?
there was a bugreport on debian.org complaining about the d-bus support
which took ONE SECOND per inode created (most probably due to poor
design of d-bus, e.g. not having a prefork'd server like apache does)
due to the multi-exe design of udev (udevd, udev, udevsend) it is quite
difficult to maintain persistent network or socket connections such
that both d-bus and libselinux1 "cacheing" can be taken advantage of.
[libselinux1 does cacheing of file context lookups - this can only
be taken advantage of IF you use a single process, of course - and
udevsend is only given ONE device name to create, and then it exits]
consequently, d-bus support was ripped out and disabled.
and it looks like the selinux support, which wasn't very good anyway,
was also removed and turned into a script that ran "restorecon"
post-inode creation, see /etc/udev.d/default/selinux.
> If you could, please paste a patch from the older version so that we can
> see here whether it should work right (it's possible that the libselinux
> api changed between then and now)
udev-0.024 was the last version containing selinux support, i had to
track it down.
iirc:
1) it used setfilecon() not setfscreatecon().
2) it ONLY set the permissions on the inode NOT on any symlinks and NOT
on any directories or subdirectories created.
the patch i created is at least an attempt to GetThingsWorking(tm).
if time REALLY IS a major concern:
what _should_ be done is that udev (or udevd) should be patched to
popen("setfiles -q -s", "w") and then when each device inode is
created (and a udevsend is exec'd to do it), the filename of the
device inode is ALSO sent down the pipe to setfiles.
i say should, what i mean is, this is the most non-nasty solution
with the tools and options presently available.
if the file_contexts stuff was somehow pre-munged and
transferred into kernel, and the regexp matching code (or
something similar) was _also_ transferred into the kernel,
then this problem would go away.
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net";> lkcl.net </a> <br />
<a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br />
