From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 28 Jul 2011 17:02:25 +0200 Subject: [refpolicy] new runtime udev directory tree (was Re: ANN: Reference Policy Release) In-Reply-To: <20110727204704.606662e8q76lz3sw@webmail.tuffmail.net> References: <4E2F0B0D.9050206@tresys.com> <1311707249.11418.19.camel@vortex> <20110727204704.606662e8q76lz3sw@webmail.tuffmail.net> Message-ID: <1311865345.26714.3.camel@vortex> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Oh yes and the commit was exactly from you on Jul 18th ! Thanks very much Martin ! I didn't notice that, because I was matching against ^/run. It's all explained now, sorry to the list about the confusion. Regards, Guido On Wed, 2011-07-27 at 20:47 +0100, Martin Orr wrote: > On Tue 26 Jul 20:07:29 2011, Guido Trentalancia wrote: > > > Thanks very much Christopher for the new release ! > > > > Just a quick reminder that it seems to me that latest git (and thus > > implicitly the new release), do not cater proper file contexts > > definitions yet for new udev directory /run. > > Git refpolicy and the new release contain: > /var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) > > As explained in the relevant commit message, this is intended to label > /run/udev rather than /var/run/udev. > > You need to use some method outside the refpolicy to ensure that > directories in /run are labelled the same as the corresponding > directories in /var/run. The easiest is to put > /run /var/run > in /etc/selinux/$NAME/contexts/files/file_contexts.subs. > > > Latest udev releases are moving from /dev/.udev to /run (still optional > > at this transition stage but perhaps it will become mandatory one day). > > > > In terms of release numbers should be at least any udev-17? (but > > possibly also some of the udev-16?). > > > > At the moment, I see: > > > > # ls -lZ /dev/.udev/ > > drwxr-xr-x. root root system_u:object_r:udev_tbl_t:s0 > > ... > > > > # grep ^/run policy/modules/kernel/files.fc > > /run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > > /run/.* gen_context(system_u:object_r:var_run_t,s0) > > /run/.*\.*pid <> > > /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) > > > > # grep ^/var\/run policy/modules/kernel/files.fc > > /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > > /var/run -l gen_context(system_u:object_r:var_run_t,s0) > > /var/run/.* gen_context(system_u:object_r:var_run_t,s0) > > /var/run/.*\.*pid <> > > /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) > > > > If the above is confirmed, we have an inconsistency for /run because it would > > just be a duplicate for /var/run which potentially conflicts with new udev. > > /run is supposed to be a duplicate of /var/run (they should be the > same directory via either a symlink or a bind mount). Refpolicy > currently does not have fcs for /run so you need to use > file_contexts.subs as above to label /run. As an alternative method, > in the Debian policy, Russell used Perl to add duplicates of all the > /var/run lines with /run instead. > > Best wishes, > Martin Orr >