-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2014 10:56 AM, Amadeusz Sławiński wrote: > On Mon, 20 Jan 2014 09:43:24 -0500 Daniel J Walsh <dwa...@redhat.com> > wrote: > > On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote: > > A better patch would be to use setfscreatecon(scontext) before the mknod. > And setfscreatecon(NULL) after. > > > Pseuod code #if ENABLE_SELINUX security_context_t scontext = NULL; char > *node_path = xasprintf("/dev/%s", node_name); if (matchpathcon(node_path, > rule->mode | type, &scontext) == 0) { setfscreatecon(scontext); > freecon(scontext); #endif if (mknod(node_name, rule->mode | type, > makedev(major, minor)) && errno != EEXIST) bb_perror_msg("can't create > '%s'", node_name); #if ENABLE_SELINUX setfscreatecon(NULL); #endif > > That way you eliminate a potential race condition where the node is > temporarily mislabeled. > > > > I don't mind doing it like this, in fact first version of this patch looked > almost exactly same. > > My reasoning for doing it the other way is that some nodes (at least on > gentoo - console, tty, tty1, null, kmsg) are created before and labels on > those need to be fixed (one can of course edit his scripts and run > restorecon). Also it should work better this way with people using devtmpfs > to mount/automount /dev, even though they later use mdev. > No problem, as long as you have considered both ways that is fine. If mdev runs before other apps, the race condition might not be important. > Amadeusz _______________________________________________ busybox mailing > list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox >
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLdW4UACgkQrlYvE4MpobPEUACfeIWGhVYGykQTljLvZVGQj7Xm O/UAoOPn/fIbygnDbN1LPEqPi1h4L1N6 =AE2N -----END PGP SIGNATURE----- _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox