On Thu, Apr 29, 2010 at 10:43:33AM -0400, Christopher J. PeBenito wrote: > On Thu, 2010-04-29 at 10:15 -0400, Stephen Smalley wrote: > > > symlinks in /dev? Does it create them with the right context, or does > > > it rely on udev to come by and relabel them? > > > > Based on the code, it appears to create and delete directories and > > device nodes, no symlinks. It cannot create them in the right context > > since the kernel knows nothing of file_contexts, so it just creates them > > in the default context, > > Ah yes, I don't know what I was thinking. > > > leaving it to userspace (restorecon or udev) to > > assign the correct context. It would be better if that were device_t > > rather than tmpfs_t for obvious reasons. > > I suppose an interim solution would be to have a kernel_t type > transition on tmpfs_t to device_t for chr_file, blk_file, and dir, until > we can fix up the policy so devtmpfs can be device_t. That sounds like a good solution. In my case of unmounted devtmpfs it will be preferable to create a separate type for this with no attributes and no allow rules except for kernel_t. But I wonder if it would break something else... Thanks for your help, but anyway, I'm going to contact Debian people with this issue. -- Alexey S. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
