Re: devfs permissions

On Mon, 25 Feb 2002 19:25, Stephen Smalley wrote:
> On Mon, 25 Feb 2002, Russell Coker wrote:
> > new hardware or drivers). On a devfs system there are only three
> > programs that should create anything under /dev, they are init, the
> > devfsd startup script, and devfsd itself.
>
> So what happens to other programs that try to create sockets in /dev? Are
> they transparently redirected through devfsd?

What other programs are there? The one I've just thought of which I didn't think of before is GPM, is there anything else that's remotely common? Is this common enough that it's painful to create a new rule for every program that needs to do so?

Most such things are probably broken by design anyway.

init has a good excuse because there's not much mounted at the time it starts work, gpm has a partial excuse because it's creating a socket as a replacement for a real mouse device.

> Given the behavior you describe, it doesn't sound as though the existing
> file_type_auto_trans rules for runtime files in /dev would work anyway
> when using devfs, so perhaps it doesn't matter that you are using devfs_t.

We'll see. With some of these things it's very difficult to guess what requirements might come up without releasing a beta. I'll write sample policy files according to my ideas, distribute them, and see what feedback I get back. If I discover horrible problems or get a lot of negative feedback then I'll go back to your ideas. ;)

-- 
Signatures >4 lines are rude.  If you send email to me or to a mailing list
that I am subscribed to which has >4 lines of legalistic junk at the end
then you are specifically authorizing me to do whatever I wish with the
message (the sig won't be read).

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.