On Mon, Aug 30, 2004 at 07:37:44PM +0200, Nigel Kukard wrote: > Just an idea, but why not have udev set the context on its root path? you mean on /dev, i presume? well i had to patch selinux/hooks.c to allow this [on a tmpfs] by relaxing the criteria of the "fscontext=" option for mount. otherwise it's not _possible_ t set the context on /dev as it is mounted [on a tmpfs]. [if /dev was a persistent filesystem everything would be hunky-dory and this wouldn't be an issue]. with that in mind, it's more that because you're putting device inodes into a non-persistent filesystem, you end up getting the "default" rules and so you must "restore" the contexts, or you must patch udev to "understand" the contents of /etc/selinux/src/file_contexts/file_contexts (using matchpathcon() and setfscreatecon() from libselinux) such that it will create inodes with the right file context. like i said, if /dev was a persistent filesystem, and if device inodes never disappeared, this wouldn't be a problem: you could run setfiles /etc/selinux/src/file_contexts/file_contexts /dev and be done with it... ... but that's not how udev works: it deletes and creates inodes on demand; nothing exists at boot-time, it's all created on-demand. so, not only must udev be patched to restore contexts but also the policies and various hacks added to "cope" with /dev being incredibly basic at startup - prior to udev running. _including_ dealing with getting the contexts correct on entries in /.dev [the old /dev remounted with mount --rbind] l. -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- <a href="http://lkcl.net";> lkcl.net </a> <br /> <a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br />
