On Mon, 20 Jan 2014 09:43:24 -0500
Daniel J Walsh <dwa...@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote:
>
> A better patch would be to use setfscreatecon(scontext) before the
> mknod. And setfscreatecon(NULL) after.
>
>
> Pseuod code
> #if ENABLE_SELINUX
> security_context_t scontext = NULL;
> char *node_path = xasprintf("/dev/%s", node_name);
> if (matchpathcon(node_path, rule->mode | type, &scontext) ==
> 0) { setfscreatecon(scontext);
> freecon(scontext);
> #endif
> if (mknod(node_name, rule->mode | type, makedev(major,
> minor)) && errno != EEXIST)
> bb_perror_msg("can't create '%s'", node_name);
> #if ENABLE_SELINUX
> setfscreatecon(NULL);
> #endif
>
> That way you eliminate a potential race condition where the node is
> temporarily mislabeled.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlLdNgwACgkQrlYvE4MpobPnhwCgtYGSnzSfemSnTSZYEtIRaPi1
> uRcAoIxEL5vwZJK+Qnic2BZeKsJpk2iu
> =6kck
> -----END PGP SIGNATURE-----
I don't mind doing it like this, in fact first version of this patch
looked almost exactly same.
My reasoning for doing it the other way is that some nodes (at least on
gentoo - console, tty, tty1, null, kmsg) are created before and labels
on those need to be fixed (one can of course edit his scripts and run
restorecon). Also it should work better this way with people using
devtmpfs to mount/automount /dev, even though they later use mdev.
Amadeusz
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
