[systemd-devel] Fix systemd-udev labeling of /var/run directory.
Lennart Poettering
lennart at poettering.net
Thu May 31 04:01:32 PDT 2012
On Thu, 31.05.12 06:54, Daniel J Walsh (dwalsh at redhat.com) wrote:
Heya,
> >> On Wed, 30.05.12 16:13, Daniel J Walsh (dwalsh at redhat.com) wrote:
> >>
> >>> + const char *prefixes[] = { "/dev", "/var/run", NULL };
> >>
> >> Is there a reason this mentions /var/run and not /run?
> >>
> >> Otherwise looks good to me!
> >
> > I have now commited the patch but took the liberty to change /var/run to
> > /run here.
> >
> > Lennart
> >
> Yes it has to be /var/run. The policy is all written with the upstream
> /var/run patterns not /run.
>
>
> # matchpathcon -p /run /run/udev
> /run/udev system_u:object_r:default_t:s0
>
> # matchpathcon -p /var/run /run/udev
> /run/udev system_u:object_r:udev_var_run_t:s0
>
> We have equivalence match between /run -> /var/run
>
> But the library for loading initial context does not take this into account.
Humm, but it seems wrong encoding in the C code that the policy hasn't
been updated for the /var/run move yet... [1]
Note that starting with F17 /var/run is unconditionally a symlink now,
and no longer a bind mount. This means /run is always the right name for
this, on any level. Isn't it time to update the policy to reflect this?
Hmm, people have noticed that the systemd 184 (with your patch applied)
doesn't build on non-Fedora anymore because your patch appears to use a
Fedora-only API addition. Will this go upstream any time soon? I feel
quite uncomfortable leaving this in the state in systemd, effectively
breaking everybody's but Fedora's build with this?
Thanks,
Lennart
Footnotes:
[1] The least we should probably do is include both /var/run and /run in
the list...
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list