On 07/23/2010 01:39 PM, Kay Sievers wrote:
On Fri, Jul 23, 2010 at 13:21, Daniel J Walsh<dwa...@redhat.com> wrote:
On 07/23/2010 06:56 AM, Kay Sievers wrote:
On Fri, Jul 23, 2010 at 12:30, Daniel J Walsh<dwa...@redhat.com> wrote:
I though I saw avc's caused because systemd creating some devices with
the wrong labels? I searched for mknod but found no calls. Does
systemd create any nodes?
It should not create any nodes. Systemd depends on the
kernel-maintained devtmpfs for all device nodes.
Udev runs on top of devtmpfs and adjusts permissions/selinux context
in the background. Could there be a timing problem, that some nodes
which the kernel has created get accessed, but don't have the proper
context in the moment udev is still iterating over them?
Probably. It could be devices created in initd are being accessed
before udev relabels.
I think we need a restorecon -Rv /dev in dracut before /bin/init is
executed. I tried to put this into
/usr/share/dracut/modules.d/98selinux/selinux-loadpolicy.sh
but as I remember it told me that /dev was read/only at the time.
Hmm, initramfs mounts /dev, which is the kernel's devtmpfs. Before
init/systemd is started the same /dev from initramfs is moved to the
rootfs' /dev. The initial /dev inside the initramfs is the kernel's
ramfs root, which should also be writable. So /dev should always be
writable.
Kay
selinux-loadpolicy.sh should look like this:
http://dracut.git.sourceforge.net/git/gitweb.cgi?p=dracut/dracut;a=blob;f=modules.d/98selinux/selinux-loadpolicy.sh
....
mount --bind /dev "$NEWROOT/dev"
chroot "$NEWROOT" /sbin/restorecon -R /dev
....
maybe, you forgot to mount bind before restorecon...
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
