On Fri, Jul 23, 2010 at 13:21, Daniel J Walsh <dwa...@redhat.com> wrote: > On 07/23/2010 06:56 AM, Kay Sievers wrote: >> On Fri, Jul 23, 2010 at 12:30, Daniel J Walsh <dwa...@redhat.com> wrote: >>> I though I saw avc's caused because systemd creating some devices with >>> the wrong labels? I searched for mknod but found no calls. Does >>> systemd create any nodes? >> >> It should not create any nodes. Systemd depends on the >> kernel-maintained devtmpfs for all device nodes. >> >> Udev runs on top of devtmpfs and adjusts permissions/selinux context >> in the background. Could there be a timing problem, that some nodes >> which the kernel has created get accessed, but don't have the proper >> context in the moment udev is still iterating over them? >> > Probably. It could be devices created in initd are being accessed > before udev relabels. > > I think we need a restorecon -Rv /dev in dracut before /bin/init is > executed. I tried to put this into > /usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh > > but as I remember it told me that /dev was read/only at the time.
Hmm, initramfs mounts /dev, which is the kernel's devtmpfs. Before init/systemd is started the same /dev from initramfs is moved to the rootfs' /dev. The initial /dev inside the initramfs is the kernel's ramfs root, which should also be writable. So /dev should always be writable. Kay _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
