|
> Subject: Re: How the native device nodes of /dev/* get relabeled? > From: sds@xxxxxxxxxxxxx > To: harrytaurus2002@xxxxxxxxxxx > CC: selinux@xxxxxxxxxxxxx > Date: Tue, 25 May 2010 08:35:19 -0400 > > On Tue, 2010-05-25 at 06:01 +0000, TaurusHarry wrote: > > Hi SELinux experts, > > > > Thanks for reading my question. I know the whole file system could be > > relabeled if we touch /.autorelabel, then during system boots up > > rc.sysinit will go on to call relabel_selinux() function to fix the > > label for the whole file system, however, this happens after > > rc.sysinit has called start_udev, which will mount tmpfs onto /dev/ > > and take the responsibility to restorecon it properly. So how do we > > make sure those native device nodes under /dev/* such as /dev/console > > and /dev/null being properly labeled? They would be accessed by th! e > > hostname or mount program before rc.sysinit calls start_udev(when the > > tmpfs has not been mounted and labeled on /dev/). > > Once policy has been loaded, you can run restorecon -R /dev to fix up > the labels of any device nodes that were previously created; rc.sysinit > does that in Fedora, but you could take it earlier in the initialization > process, anytime after policy load (you could do it from the initramfs > script right after policy load). > Thanks Stephen! Now I understand the purpose of the initramfs script of "_restorecon" on my Ubuntu desktop - it is to relabel the raw /dev/ directory after the "_load_policy" initramfs script loaded SELinux policy image. I have taken Fedora's approach and make rc.sysinit relabel /dev/console and /dev/null properly before tmpfs is mounted on /dev/ by the start_udev script. Best regards, Harry > Otherwise, you have to just allo! w certain domains to access the default > type applied to the in itial /dev nodes (e.g. tmpfs_t if it is a tmpfs > mount or a devtmpfs mount). refpolicy does this via > fs_rw_tmpfs_chr_files() for certain domains, including init_t, initrc_t, > mount_t, hotplug_t. > > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. 聊天+搜索+邮箱 想要轻松出游,手机MSN帮你搞定! 立刻下载! |
