[systemd-devel] Fix systemd-udev labeling of /var/run directory.
Daniel J Walsh
dwalsh at redhat.com
Thu May 31 04:04:37 PDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/31/2012 07:01 AM, Lennart Poettering wrote:
> On Thu, 31.05.12 06:54, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
> Heya,
>
>>>> On Wed, 30.05.12 16:13, Daniel J Walsh (dwalsh at redhat.com) wrote:
>>>>
>>>>> + const char *prefixes[] = { "/dev", "/var/run", NULL };
>>>>
>>>> Is there a reason this mentions /var/run and not /run?
>>>>
>>>> Otherwise looks good to me!
>>>
>>> I have now commited the patch but took the liberty to change /var/run
>>> to /run here.
>>>
>>> Lennart
>>>
>> Yes it has to be /var/run. The policy is all written with the upstream
>> /var/run patterns not /run.
>>
>>
>> # matchpathcon -p /run /run/udev /run/udev
>> system_u:object_r:default_t:s0
>>
>> # matchpathcon -p /var/run /run/udev /run/udev
>> system_u:object_r:udev_var_run_t:s0
>>
>> We have equivalence match between /run -> /var/run
>>
>> But the library for loading initial context does not take this into
>> account.
>
> Humm, but it seems wrong encoding in the C code that the policy hasn't been
> updated for the /var/run move yet... [1]
>
> Note that starting with F17 /var/run is unconditionally a symlink now, and
> no longer a bind mount. This means /run is always the right name for this,
> on any level. Isn't it time to update the policy to reflect this?
>
> Hmm, people have noticed that the systemd 184 (with your patch applied)
> doesn't build on non-Fedora anymore because your patch appears to use a
> Fedora-only API addition. Will this go upstream any time soon? I feel quite
> uncomfortable leaving this in the state in systemd, effectively breaking
> everybody's but Fedora's build with this?
>
> Thanks,
>
> Lennart
>
>
> Footnotes:
>
> [1] The least we should probably do is include both /var/run and /run in
> the list...
>
Ok Eric and I will work to get it upstream. I guess for F18 I can move the
/var/run definition to /run and reverse the equivalence. But it is probably
best to put /var/run and /run in the list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/HUEUACgkQrlYvE4MpobPTtgCghCBEH6gpzKUrCEqKHTuSBK68
he0An3l5+X0Csz0kCCUAhSttdCvtMD+p
=/uW0
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list