On Tue, Aug 31, 2004 at 10:49:08AM +0100, Luke Kenneth Casson Leighton wrote: > > Seeing as my initial /dev is on a persistent > > filesystem i don't have a problem with pre-udev stuff running. > > well.... you shouldn't... until you reinitialise or somehow delete, > upgrade or otherwise modify the "old" /dev [which you will find is > remounted --rbind to /.dev]. > > try it: do setfiles /etc/selinux/src/file_contexts/file_contexts /.dev > and then reboot [in permissive mode!!!] > > due to the present files/types.fc, you will find that the entire > /.dev gets relabelled to something completely useless: root_t > or default_t. i think it's default_t. > > consequently your next reboot in enforcing mode will fail because > /sbin/init tries to access /dev/null and /dev/initctl etc. as > default_t ... and it can't. > > should you choose to deal with this, replace /u?dev with /[\.u]dev or > some suitable regexp that i haven't a clue how to write so i just > did /.?u?dev and that did the trick. it's insufficient to add /.?u?dev to just file_contexts/types.fc you also have to search in file_contexts/program/* for /dev and set the right context there, too. there is i believe a bug at present in e.g. file_contexts/program/init.fc because it only covers /dev/initctl not /udev/initctl and not /.dev/initctl. i think this one is the only one that's really really critical [except on redhat of course where they all should be /u?dev] because if /.dev/initctl gets set to default_t, you're stuffed at next boot. l.
