From: martin@martinorr.name (Martin Orr) Date: Wed, 27 Jul 2011 20:47:04 +0100 Subject: [refpolicy] new runtime udev directory tree (was Re: ANN: Reference Policy Release) In-Reply-To: <1311707249.11418.19.camel@vortex> References: <4E2F0B0D.9050206@tresys.com> <1311707249.11418.19.camel@vortex> Message-ID: <20110727204704.606662e8q76lz3sw@webmail.tuffmail.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue 26 Jul 20:07:29 2011, Guido Trentalancia wrote: > Thanks very much Christopher for the new release ! > > Just a quick reminder that it seems to me that latest git (and thus > implicitly the new release), do not cater proper file contexts > definitions yet for new udev directory /run. Git refpolicy and the new release contain: /var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) As explained in the relevant commit message, this is intended to label /run/udev rather than /var/run/udev. You need to use some method outside the refpolicy to ensure that directories in /run are labelled the same as the corresponding directories in /var/run. The easiest is to put /run /var/run in /etc/selinux/$NAME/contexts/files/file_contexts.subs. > Latest udev releases are moving from /dev/.udev to /run (still optional > at this transition stage but perhaps it will become mandatory one day). > > In terms of release numbers should be at least any udev-17? (but > possibly also some of the udev-16?). > > At the moment, I see: > > # ls -lZ /dev/.udev/ > drwxr-xr-x. root root system_u:object_r:udev_tbl_t:s0 > ... > > # grep ^/run policy/modules/kernel/files.fc > /run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > /run/.* gen_context(system_u:object_r:var_run_t,s0) > /run/.*\.*pid <> > /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) > > # grep ^/var\/run policy/modules/kernel/files.fc > /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > /var/run -l gen_context(system_u:object_r:var_run_t,s0) > /var/run/.* gen_context(system_u:object_r:var_run_t,s0) > /var/run/.*\.*pid <> > /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) > > If the above is confirmed, we have an inconsistency for /run because it would > just be a duplicate for /var/run which potentially conflicts with new udev. /run is supposed to be a duplicate of /var/run (they should be the same directory via either a symlink or a bind mount). Refpolicy currently does not have fcs for /run so you need to use file_contexts.subs as above to label /run. As an alternative method, in the Debian policy, Russell used Perl to add duplicates of all the /var/run lines with /run instead. Best wishes, Martin Orr