On Mon, 20 Jan 2014 09:43:24 -0500 Daniel J Walsh <dwa...@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote: > > A better patch would be to use setfscreatecon(scontext) before the > mknod. And setfscreatecon(NULL) after. > > > Pseuod code > #if ENABLE_SELINUX > security_context_t scontext = NULL; > char *node_path = xasprintf("/dev/%s", node_name); > if (matchpathcon(node_path, rule->mode | type, &scontext) == > 0) { setfscreatecon(scontext); > freecon(scontext); > #endif > if (mknod(node_name, rule->mode | type, makedev(major, > minor)) && errno != EEXIST) > bb_perror_msg("can't create '%s'", node_name); > #if ENABLE_SELINUX > setfscreatecon(NULL); > #endif > > That way you eliminate a potential race condition where the node is > temporarily mislabeled. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlLdNgwACgkQrlYvE4MpobPnhwCgtYGSnzSfemSnTSZYEtIRaPi1 > uRcAoIxEL5vwZJK+Qnic2BZeKsJpk2iu > =6kck > -----END PGP SIGNATURE----- I don't mind doing it like this, in fact first version of this patch looked almost exactly same. My reasoning for doing it the other way is that some nodes (at least on gentoo - console, tty, tty1, null, kmsg) are created before and labels on those need to be fixed (one can of course edit his scripts and run restorecon). Also it should work better this way with people using devtmpfs to mount/automount /dev, even though they later use mdev. Amadeusz _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox