* /dev on tmpfs. How to label?
@ 2010-01-28 11:56 AlannY
2010-01-28 13:29 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: AlannY @ 2010-01-28 11:56 UTC (permalink / raw)
To: SELinux
Hi there. I'm still trying to install SELinux on Archlinux. I've already done
step with /sbin/load_policy -i at initramfs. But now have another difficult to
solve problem.
Archlinux at boot time (at /etc/rc.sysinit) mount /dev at tmpfs so:
/bin/mount -n -t tmpfs none /dev -o mode=0755
As you can see, nodes at /dev never have correct context, because they
are temporary created and at shutdown deleted.
I see there are 2 ways to solve:
1. recrack Archlinux boot process and make not mount /dev at tmpfs.
2. Somehow relabel all nodes created at boot.
What do you think about it? Is there any distro, which mounts /dev at tmpfs and have working SELinux?
Thanks for patience.
--
)\._.,--....,'``.
/, _.. \ _\ (`._ ,.
`._.-(,_..'--(,_..'`-.;.'
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev on tmpfs. How to label?
2010-01-28 11:56 /dev on tmpfs. How to label? AlannY
@ 2010-01-28 13:29 ` Stephen Smalley
2010-01-28 13:55 ` AlannY
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2010-01-28 13:29 UTC (permalink / raw)
To: AlannY; +Cc: SELinux
On Thu, 2010-01-28 at 14:56 +0300, AlannY wrote:
> Hi there. I'm still trying to install SELinux on Archlinux. I've already done
> step with /sbin/load_policy -i at initramfs. But now have another difficult to
> solve problem.
>
> Archlinux at boot time (at /etc/rc.sysinit) mount /dev at tmpfs so:
>
> /bin/mount -n -t tmpfs none /dev -o mode=0755
>
> As you can see, nodes at /dev never have correct context, because they
> are temporary created and at shutdown deleted.
>
> I see there are 2 ways to solve:
>
> 1. recrack Archlinux boot process and make not mount /dev at tmpfs.
> 2. Somehow relabel all nodes created at boot.
>
> What do you think about it? Is there any distro, which mounts /dev at tmpfs and have working SELinux?
Most distros do that these days, and it works fine in Fedora, for
example.
The technique used in Fedora is to run restorecon -R /dev from
rc.sysinit to set the contexts on the /dev nodes set up before the
policy load, and udev is already SELinux-aware (if built with SELinux
support enabled) and should label any dynamically created nodes
appropriately once SELinux policy has loaded.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev on tmpfs. How to label?
2010-01-28 13:29 ` Stephen Smalley
@ 2010-01-28 13:55 ` AlannY
2010-01-28 14:20 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: AlannY @ 2010-01-28 13:55 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SELinux
On Thu, Jan 28, 2010 at 08:29:18AM -0500, Stephen Smalley wrote:
> Most distros do that these days, and it works fine in Fedora, for
> example.
>
> The technique used in Fedora is to run restorecon -R /dev from
> rc.sysinit to set the contexts on the /dev nodes set up before the
> policy load, and udev is already SELinux-aware (if built with SELinux
> support enabled) and should label any dynamically created nodes
> appropriately once SELinux policy has loaded.
Ok. I've built udev --with-selinux and it seems now I have a good context (or maybe right?).
Well, my Controlling term: user_u:object_r:user_tty_device_t:s0. Is it normal?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev on tmpfs. How to label?
2010-01-28 13:55 ` AlannY
@ 2010-01-28 14:20 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2010-01-28 14:20 UTC (permalink / raw)
To: AlannY; +Cc: SELinux
On Thu, 2010-01-28 at 16:55 +0300, AlannY wrote:
> On Thu, Jan 28, 2010 at 08:29:18AM -0500, Stephen Smalley wrote:
> > Most distros do that these days, and it works fine in Fedora, for
> > example.
> >
> > The technique used in Fedora is to run restorecon -R /dev from
> > rc.sysinit to set the contexts on the /dev nodes set up before the
> > policy load, and udev is already SELinux-aware (if built with SELinux
> > support enabled) and should label any dynamically created nodes
> > appropriately once SELinux policy has loaded.
>
> Ok. I've built udev --with-selinux and it seems now I have a good context (or maybe right?).
>
> Well, my Controlling term: user_u:object_r:user_tty_device_t:s0. Is it normal?
Yes. user_tty_device_t for a tty, user_devpts_t for a pty.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-01-28 14:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-01-28 11:56 /dev on tmpfs. How to label? AlannY
2010-01-28 13:29 ` Stephen Smalley
2010-01-28 13:55 ` AlannY
2010-01-28 14:20 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.