[systemd-devel] This patch adds SELinux support to systemd for socket creation.
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 23 04:21:33 PDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/23/2010 06:56 AM, Kay Sievers wrote:
> On Fri, Jul 23, 2010 at 12:30, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> I though I saw avc's caused because systemd creating some devices with
>> the wrong labels? I searched for mknod but found no calls. Does
>> systemd create any nodes?
>
> It should not create any nodes. Systemd depends on the
> kernel-maintained devtmpfs for all device nodes.
>
> Udev runs on top of devtmpfs and adjusts permissions/selinux context
> in the background. Could there be a timing problem, that some nodes
> which the kernel has created get accessed, but don't have the proper
> context in the moment udev is still iterating over them?
>
> Kay
Probably. It could be devices created in initd are being accessed
before udev relabels.
I think we need a restorecon -Rv /dev in dracut before /bin/init is
executed. I tried to put this into
/usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh
but as I remember it told me that /dev was read/only at the time.
If Harald is on the list maybe he would know where to put this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxJez0ACgkQrlYvE4MpobMPwgCfdtwWeajVCfuz8nZgl0Y6ub7y
euAAoOvY3AuydLdqpzfcF0dKsw0NldaY
=kiB4
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list