Re: [systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
On Fri, 24.10.14 13:51, WaLyong Cho (walyong@gmail.com) wrote: From: WaLyong Cho walyong@samsung.com If selinux is disabled and smack is only enabled, smack label is relable-ed by label_fix. To avoid, make only be labeled for selinux. Thanks! Applied! Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
From: WaLyong Cho walyong@samsung.com If selinux is disabled and smack is only enabled, smack label is relable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 4ac6f71..030e459 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -323,7 +323,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, /* set the defaults */ if (!selinux) -label_fix(devnode, true, false); +mac_selinux_fix(devnode, true, false); if (!smack) mac_smack_apply(devnode, NULL); } -- 2.1.2 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
If selinux is disabled and smack is only enabled, smack label is relable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index f46638f..3c49482 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -313,8 +313,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, } /* set the defaults */ -if (!selinux) -label_fix(devnode, true, false); +if (!selinux use_selinux()) +mac_selinux_fix(devnode, true, false); if (!smack) mac_smack_path(devnode, NULL); } -- 1.9.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
On 08/27/2014 04:54 AM, Lennart Poettering wrote: On Tue, 26.08.14 21:52, Lennart Poettering (lenn...@poettering.net) wrote: On Thu, 21.08.14 12:58, WaLyong Cho (walyong@samsung.com) wrote: If selinux is disabled and smack is only enabled, smack label is relable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 6a9788b..00ade2c 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -314,8 +314,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, } /* set the defaults */ -if (!selinux) -label_fix(devnode, true, false); +if (!selinux use_selinux()) +mac_selinux_fix(devnode, true, false); Shouldn't mac_selinux_fix() simply become a NOP returning ENOTSUP if selinux is disabled? Then, we can just invoke it here always, with no ill effects... Or actually, it shouldn't even return ENOTSUP, but simply 0... that's at least how the rest of the selinux code currently appears to work if selinux is off... Yes, right. And I just focused on SMACK only enabled case. In that case, the path is re-labeled again by label_fix what include also mac_smack_relabel_in_dev. Therefore the path was labeled twice. The first was labeled correctly by mac_smack_path and the second was labeled by mac_smack_relabel_in_dev. So all of /dev nodes were labeled * or _. So I made do only for selinux on there. Is there any points should be modified? if (!smack) mac_smack_path(devnode, NULL); } Lennart Lennart WaLyong ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
On Thu, 21.08.14 12:58, WaLyong Cho (walyong@samsung.com) wrote: If selinux is disabled and smack is only enabled, smack label is relable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 6a9788b..00ade2c 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -314,8 +314,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, } /* set the defaults */ -if (!selinux) -label_fix(devnode, true, false); +if (!selinux use_selinux()) +mac_selinux_fix(devnode, true, false); Shouldn't mac_selinux_fix() simply become a NOP returning ENOTSUP if selinux is disabled? Then, we can just invoke it here always, with no ill effects... if (!smack) mac_smack_path(devnode, NULL); } Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
If selinux is disabled and smack is only enabled, smack label is relable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 6a9788b..00ade2c 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -314,8 +314,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, } /* set the defaults */ -if (!selinux) -label_fix(devnode, true, false); +if (!selinux use_selinux()) +mac_selinux_fix(devnode, true, false); if (!smack) mac_smack_path(devnode, NULL); } -- 1.9.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
If selinux is disabled and smack is only enabled, smack label is re-lable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index fa10d04..e237363 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -314,8 +314,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, } /* set the defaults */ -if (!selinux) -label_fix(devnode, true, false); +if (!selinux use_selinux()) +label_selinux_fix(devnode, true, false); if (!smack) label_smack_path(devnode, NULL); } -- 1.9.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/2] udev: do NOT re-label smack
If selinux is disabled and smack is only enabled, smack label is re-lable-ed by label_fix. To avoid, make only be labeled for selinux. --- src/udev/udev-node.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 9ec98bc..f4f4827 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -314,8 +314,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, } /* set the defaults */ -if (!selinux) -label_fix(devnode, true, false); +if (!selinux use_selinux()) +selinux_label_fix(devnode, true, false); if (!smack) smack_label_path(devnode, NULL); } -- 1.9.3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel