[systemd-devel] Fix systemd-udev labeling of /var/run directory.

Daniel J Walsh dwalsh at redhat.com
Thu May 31 04:04:37 PDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2012 07:01 AM, Lennart Poettering wrote:
> On Thu, 31.05.12 06:54, Daniel J Walsh (dwalsh at redhat.com) wrote:
> 
> Heya,
> 
>>>> On Wed, 30.05.12 16:13, Daniel J Walsh (dwalsh at redhat.com) wrote:
>>>> 
>>>>> +        const char *prefixes[] = { "/dev", "/var/run", NULL };
>>>> 
>>>> Is there a reason this mentions /var/run and not /run?
>>>> 
>>>> Otherwise looks good to me!
>>> 
>>> I have now commited the patch but took the liberty to change /var/run
>>> to /run here.
>>> 
>>> Lennart
>>> 
>> Yes it has to be /var/run.  The policy is all written with the upstream 
>> /var/run patterns not /run.
>> 
>> 
>> # matchpathcon -p /run /run/udev /run/udev
>> system_u:object_r:default_t:s0
>> 
>> # matchpathcon -p /var/run /run/udev /run/udev
>> system_u:object_r:udev_var_run_t:s0
>> 
>> We have equivalence match between /run -> /var/run
>> 
>> But the library for loading initial context does not take this into
>> account.
> 
> Humm, but it seems wrong encoding in the C code that the policy hasn't been
> updated for the /var/run move yet... [1]
> 
> Note that starting with F17 /var/run is unconditionally a symlink now, and
> no longer a bind mount. This means /run is always the right name for this,
> on any level. Isn't it time to update the policy to reflect this?
> 
> Hmm, people have noticed that the systemd 184 (with your patch applied) 
> doesn't build on non-Fedora anymore because your patch appears to use a 
> Fedora-only API addition. Will this go upstream any time soon? I feel quite
> uncomfortable leaving this in the state in systemd, effectively breaking
> everybody's but Fedora's build with this?
> 
> Thanks,
> 
> Lennart
> 
> 
> Footnotes:
> 
> [1] The least we should probably do is include both /var/run and /run in 
> the list...
> 
Ok Eric and I will work to get it upstream.  I guess for F18 I can move the
/var/run definition to /run and reverse the equivalence.  But it is probably
best to put /var/run and /run in the list.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HUEUACgkQrlYvE4MpobPTtgCghCBEH6gpzKUrCEqKHTuSBK68
he0An3l5+X0Csz0kCCUAhSttdCvtMD+p
=/uW0
-----END PGP SIGNATURE-----


More information about the systemd-devel mailing list