On Tue, Aug 24, 2004 at 08:06:41PM +1000, Russell Coker wrote: > On Tue, 24 Aug 2004 19:28, Luke Kenneth Casson Leighton <lkcl@xxxxxxxx> wrote: > > 2) it ONLY set the permissions on the inode NOT on any symlinks and NOT > > on any directories or subdirectories created. > > This part is OK. We have moved to using device_t (the default) as the context > for all directories and sym-links under /dev. great, then the policy modifications i've made will be of some value in pointing you in the right direction, i'll endeavour to clean them up, sort them out [dammit i just did that and ended up accidentally deleting it, i _must_ try to stop the habit of reusing filenames f g h x y and z] i'm attaching also my modified /etc/init.d/udev file. as you can see it calls /sbin/restoredevicefiles (sent earlier) after the make_extra_nodes() call has been made. why? because it is necessary to do a restorecon on every item created in /dev, and this is _before_ udev is running, and it is _to_ get udev running! i mean, sure, it's fine to grant udev permission to do stuff to device_t:file/directory instead (or as well?) such that it can "get started" and then "replace" or "re-restore" permissions on entries listed in /etc/udev/links.conf, that's another approach i imagine could be taken. > > if the file_contexts stuff was somehow pre-munged and > > transferred into kernel, and the regexp matching code (or > > something similar) was _also_ transferred into the kernel, > > then this problem would go away. > > I think it's already been decided not to do that. oh. right. ah well. Next :)
