[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: makedev stuff

I took a quick look at the selinux package.. I'm not sure I completely
understand, but I'm sure you'll correct me.  :)

Taking /dev/random from the file context stuff:
/dev/random                     system_u:object_r:random_device_t

echo "std mknod ... && chmod ... && data=$(grep "^/dev/random"
.../types.fc" >> /etc/makedev.d/selinux

I'm not sure how that data is treated (the
"system_u:object_r:random_device_t"), but I assume it's parsed and
handed of to a command (or commands).  When `MAKEDEV std` is run, it
would scan through the files in /etc/makedev.d (in locale-definable
order).  Ideally what happen is that the standard 'std' is read first;
/dev/random is created normally; then selinux's stuff is read after,
re-creating /dev/random, and setting security context (overriding the

In order to guarantee this, we probably want to do some sort of ordering
scheme similar to sysvinit's runlevel directories.. All default device
config files prefixed w/ "50", w/ things overriding defaults using "99"
or something.

Alternatively, when macros are implemented, we could do something like
creating macro/variables for mknod; 00macro (name taken from redhat) has
something like
DEF_MKNOD="mknod --mode=644"
and in 05macro:
SE_MKNOD="mknod --stuff=..." (or SE_MKNOD="semknod --mode=640"

and within std:
std $(DEF_MKNOD) random ...

I'm open to suggestions; unfortunately, I really don't know that much
about selinux..

On Sun, Jul 28, 2002 at 03:35:03AM +0200, Russell Coker wrote:
> On Sun, 28 Jul 2002 02:54, Andres Salomon wrote:
> > Here are a few example config file entries:
> > std mknod --mode=640 mem c 1 1 && chown root:kmem mem
> > std mknod --mode=640 kmem c 1 2 && chown root:kmem kmem
> > lvm2 mkdir device-mapper; minor=$(grep "[0-9] device-mapper$" /proc/misc |
> > sed 's/[ ]\+device-mapper//'); mknod --mod=600 device-mapper/control c 10
> > $minor && chown root:root device-mapper/control
> >
> > I decided to go w/ running commands, instead of going w/ Redhat and
> > Ian Zimmerman's methods of calling mknod()/link() directly so that
> > packages could extend makedev without having to touch the source code
> So how would we hook into this?
> I would like to have my SE Linux package hook into this and pass the security 
> context to the SE version of mknod after searching the regular expressions in 
> the file_context file to determine what context to have.
> -- 
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my address in the
> >From field.

Broad surveillance is a mark of bad security.
	-- Bruce Schneier

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: