Description of problem: We are trying to write better SELinux policy for the initscripts and we came accross rc.sysinit requireing the ability to mk blk devices on /dev. Can't this functionality be moved to udev? diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.11/domains/program/initrc.te --- nsapolicy/domains/program/initrc.te 2005-03-24 08:58:25.000000000 -0500 +++ policy-1.23.11/domains/program/initrc.te 2005-04-14 15:30:19.000000000 -0400 @@ -12,7 +12,7 @@ # initrc_exec_t is the type of the init program. # # do not use privmail for sendmail as it creates a type transition conflict -type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; +type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain; role system_r types initrc_t; uses_shlib(initrc_t); Note that the above is needed for the following command: echo "raidautorun /dev/md0" | nash --quiet
why is this assigned to udev?
Because I think udev should be doing it. I also cc'd Bill.,
then the kernel module has to send hotplug events and udev will create those devices... no change to udev needed!!
It doesn't work that way. The raidautorun command requires a device node to operate on (basically, to send the ioctl on). *Then*, it scans the partitions and actually creates the raid devices. This is what would send the hotplug event.
SO should I give these privs to nash and only allow nash to be tansitioned by initrc? Is nash used by anything else? Dan
Yeah, that sounds about right. nash is used on the initrd. Don't think it's used anywhere else.