>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: devfs_contexts

From: Russell Coker <russell_at_coker.com.au>
Date: Thu, 24 Jan 2002 06:40:25 +1100

On Thu, 24 Jan 2002 05:29, Richard Gooch wrote:
> > Do you think it would make sense to have a SE version of devfsd that
> > applied SE SID's at the same time as applying regular permissions to
> > devfs managed device nodes? It makes sense to me to have both
> > regular file system permissions and SE sids applied at the same
> > time.
> >
> > I could do the devfsd patch in a small amount of time if desired
> > (I've written plenty of patches for devfsd already so I know the
> > code reasonably well).
> >
> > NB I've CC'd Richard Gooch to get his opinions on this matter.
>
> First, can someone answer these questions:
>
> - how much code is required to support this

I have attached the source to chsid.c, the source for the chsid program. It operates in a similar fashion to chown(1). As you can see there isn't much code. All I have to do is to parse the config file for an extra parameter.

At this stage I wouldn't be volunteering to write it if I though it would take a lot of code. ;)

> - will it break compilation of devfsd on non-SELinux systems

I was thinking of putting #ifdef SELINUX around it all.

> - will an SELinux-enabled devfsd run on normal systems

Yes. It can detect that there is no SE code running, log a warning message and just run with regular functionality.

> - what are these devfs_contexts and where are they kept

Currently devfs_contexts is compiled and stored in the database /ss_policy , the kernel loads that file and then processes it accordingly.

> - where are the SELinux SID's kept? In the VFS inode?

It appears to be in the inode in the VFS.

For regular file systems such as Ext2 and ReiserFS the inode number is used as an index to a per-file-system database of security permissions which is then consulted as necessary.

-- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page

-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

text/x-c attachment: chsid.c

Received on Wed 23 Jan 2002 - 14:57:07 EST

This message: [ Message body ]
Next message: Justin Smith: "Shutdown issues"
Previous message: Stephen Smalley: "Re: switching between SE Linux utils - kernel versions ? ... also ntp"
Maybe in reply to: Russell Coker: "devfs_contexts"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT