-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris PeBenito wrote:
> On Fri, 2007-11-30 at 17:24 +0000, Martin Orr wrote:
>> On 30/11/07 15:55, Christopher J. PeBenito wrote:
>>> On Fri, 2007-11-30 at 16:30 +0100, Václav Ovsík wrote:
>>>> On Fri, Nov 30, 2007 at 09:38:33AM -0500, Christopher J. PeBenito wrote:
>>>>>> Corresponding code is in udev_node.c, function node_symlink().
>>>>>> if (strcmp(target, buf) == 0) {
>>>>>> info("preserve already existing symlink '%s' to '%s'", slink,
>>>>>> target);
>>>>>> selinux_setfilecon(slink, NULL, S_IFLNK);
>>>>>> goto exit;
>>>>>> }
>>>>> I'll add the rule. Perhaps someone should send up a patch to remove the
>>>>> setfilecon, and update the info message.
>>>> Mean you to compare the context of symlink and no setfilecon if it is
>>>> ok?
>>> Yes. Unless there's a good reason to keep it as-is that I don't know
>>> about.
>> Well I'll send a patch to udev. Should it just be the below, or should udev
>> be relabelling symlinks if it finds that they exist but are wrongly
>> labelled? How do I test for equality of security contexts?
>>
>> --- a/udev_node.c
>> +++ b/udev_node.c
>> @@ -146,7 +146,6 @@ static int node_symlink(const char *node, const char *slink)
>> buf[len] = '\0';
>> if (strcmp(target, buf) == 0) {
>> info("preserve already existing symlink '%s' to '%s'", slink, target);
>> - selinux_setfilecon(slink, NULL, S_IFLNK);
>> goto exit;
>> }
>> }
>
> Yes, thats what I was thinkin. Since the function is node_symlink(),
> I'm guessing there is a similar function for char and block node, etc?
> Those should be checked to make sure they don't do unneeded relabeling
> too.
>
My patch for Fedora adds the ability for udev to relabelto relabelfrom
device_t symlinks.
Even if you fix udev, these rules should be added. since you could label
the symlink as something other than device_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD4DBQFHVV8krlYvE4MpobMRAtxBAJY2hqXrkH7QkzBui/M4c0pm7AOrAKCmGb0L
ILY0KxrCkluMfknbtr43UA==
=1VyK
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
