[systemd-devel] This patch adds SELinux support to systemd for socket creation.
Kay Sievers
kay.sievers at vrfy.org
Fri Jul 23 04:39:56 PDT 2010
On Fri, Jul 23, 2010 at 13:21, Daniel J Walsh <dwalsh at redhat.com> wrote:
> On 07/23/2010 06:56 AM, Kay Sievers wrote:
>> On Fri, Jul 23, 2010 at 12:30, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>> I though I saw avc's caused because systemd creating some devices with
>>> the wrong labels? I searched for mknod but found no calls. Does
>>> systemd create any nodes?
>>
>> It should not create any nodes. Systemd depends on the
>> kernel-maintained devtmpfs for all device nodes.
>>
>> Udev runs on top of devtmpfs and adjusts permissions/selinux context
>> in the background. Could there be a timing problem, that some nodes
>> which the kernel has created get accessed, but don't have the proper
>> context in the moment udev is still iterating over them?
>>
> Probably. It could be devices created in initd are being accessed
> before udev relabels.
>
> I think we need a restorecon -Rv /dev in dracut before /bin/init is
> executed. I tried to put this into
> /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh
>
> but as I remember it told me that /dev was read/only at the time.
Hmm, initramfs mounts /dev, which is the kernel's devtmpfs. Before
init/systemd is started the same /dev from initramfs is moved to the
rootfs' /dev. The initial /dev inside the initramfs is the kernel's
ramfs root, which should also be writable. So /dev should always be
writable.
Kay
More information about the systemd-devel
mailing list