On Tue, 2010-08-31 at 11:22 -0400, Daniel J Walsh wrote: > On 08/31/2010 11:16 AM, Eric Paris wrote: > > I suggest a third options: Calculate the default at startup and on every > > policy load and fix object labels if they are the default. I'm sure Dan > > knows a code example of how to do the calculation. The pseudocode looks > > something like: > > > > > > lookup the label on /dev > > lookup the label on the initial task > > ask the kernel what the resulting label on a file transition with those > > two pieces of information will be. > > > NOOOOO > > libvirt is going in and changing fixed_disk_device_t:s0 to svirt_t:c0,c124 > > We do not want udev to see this and ask what label a device should have > if libvirtd_t created a chr_file in device_t. initial task == /sbin/init actually I should look if the kernel init_cred (what devtmpfs uses to make security decisions) is initrc_t or kernel_t. I'm guessing it is kernel_t but I'm not certain how that gets set..... -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
