| Summary: | <sys-apps/policycoreutils-2.1.13-r8 does not support restoring contexts of /dev files | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sven Vermeulen (RETIRED) <swift> |
| Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | VERIFIED FIXED | ||
| Severity: | normal | CC: | selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | selinux-utils | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sven Vermeulen (RETIRED)
2013-03-29 09:16:53 UTC
Seems to be only when called from within the initramfs, as that all runs in the kernel_t domain. The /dev/device-mapper one is now in policy. The other ones will be more difficult (if not impossible) with just policy changes as the names of the files are chosen by the user, and we cannot create a catch-all file transition. Hence, for /dev/mapper/* we need to wait and run a restorecon later. Back to square 1, device-mapper is a character device, so the file transition won't work 18:06 <@SwifT> so either I do some overhauling on the policy, making /dev/mapper something like "mapper_device_t" and then have all
block devices in mapper_device_t be marked as fixed_disk_device_t (but then all domains that need access to
/dev/mapper need search or even list privileges on mapper_device_t + transition of the control file should be on
mapper_device_t as well)... or we just have a restorecon on /dev...
18:06 <@SwifT> honestly, the restorecon sounds like a lot easier :p
Guess we'll have to push /etc/init.d/selinux_gentoo more. I'll move this bug together with the stabilization of policycoreutils-2.1.13-r8 or higher
Stabilized |