Kay Sievers wrote:
On Mon, Feb 06, 2006 at 01:35:35PM -0500, Stephen Smalley wrote:
On Mon, 2006-02-06 at 13:15 -0500, Daniel J Walsh wrote:
How about if we changed the call to
if ( mode & S_IFBLK ) {
media = get_media(devname, mode);
if (media) {
ret = matchmediacon(media, &scontext);
free(media);
}
}
You already have a test of (mode & S_IFBLK) on entry to get_media, so I
don't see what that buys you. Still limited to ide devices by get_media
only checking /proc/ide. I don't think her concern with the media
support was performance, just generality and use of sysfs. Performance
concern was with selinux_init.
On the performance overhead issue, only real improvement would be to
move all matchpathcon_init+matchpathcon processing into the daemon and
have the daemon pass the required contexts to the event commands on the
command line or via pipe.
The udev event processes, the ones that actually create the device node
are just clones of the main daemon, they run the same code, the same
memory as the main daemon, they don't exec() anything. So everything that
is available in the main daemon before the event process is forked, will
also be available in the event process itself while it is creating the
node.
That's the reason I was asking, cause it sounds like the current selinux
integration could be optimized. Seems there is no need for any pipe or other
ipc, if selinux is fine with the inherited state from the daemon.
Thanks,
Kay
Yes I think it would should work fine.
I think a patch like the following should also be added to udev_selinux.
- media = get_media(devname, mode);
- if (media) {
- ret = matchmediacon(media, &scontext);
- free(media);
+ if ( mode & S_IFBLK ) {
+ media = get_media(devname, mode);
+ if (media) {
+ ret = matchmediacon(media, &scontext);
+ free(media);
+ }
}
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
