On Mon, 2013-09-16 at 17:27 +0200, Dominick Grift wrote: > On Mon, 2013-09-16 at 11:12 -0400, Daniel J Walsh wrote: > > > > The problem is not just fixing this. SELinux is misunderstood. If > > > application developers hook into libselinux but they don't know how they > > > should use it then that's the fundamental issue to tackle in my view. > > > > > Yes the tool writers will take the easy way out, but libselinux is not very > > flexible with this either. IE Every time a new policy enforcer like systemd > > or libvirt comes along, libselinux needs to change API. So giving us > > flexibility for these tools to define context files structure rather then > > constantly changing libselinux. > > > > BTW I am not familiar with anything hard coded into systemd or udev. > > > > I will look up the hard code issues and enclose them I don't know what's responsible exactly but these are the hard-coded contexts, and considering their nature i suspect its either systemd or udev: > # dmesg | grep -i selinux | grep -i unmapped > [ 1.453709] SELinux: Context system_u:object_r:var_run_t:s0 is not valid (left unmapped). > [ 1.453713] SELinux: Context system_u:object_r:sysfs_t:s0 is not valid (left unmapped). > [ 1.453717] SELinux: Context system_u:object_r:root_t:s0 is not valid (left unmapped). > [ 1.453721] SELinux: Context system_u:object_r:device_t:s0 is not valid (left unmapped). > [ 1.555305] SELinux: Context system_u:object_r:tmp_t:s0 is not valid (left unmapped). > [ 1.918870] SELinux: Context system_u:object_r:boot_t:s0 is not valid (left unmapped). I happens pretty much right after the policy is loaded -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
