[kay.sievers at vrfy.org]

Daniel J Walsh dwalsh at redhat.com
Mon Feb 6 18:15:29 UTC 2006 

Stephen Smalley wrote:
> On Mon, 2006-02-06 at 10:46 -0500, Bill Nottingham wrote:
>   
>> Some questions from the upstream udev maintainer... from reading
>> it, the media  stuff is because CDROMs, etc. have a different file
>> type, and the defaultfile context needs set in everything that
>> creates devices. Is that correct?
>>     
>
> Dan Walsh wrote the original udev SELinux support, so take this with a
> grain of salt, but I think that you are correct.  The usual file
> contexts approach of labeling based on pathname regex wasn't sufficient
> for removable media, so Dan introduced the specialized media handling.  
>
> On Kay's selinux_init question:
>
>   
>> Can't we move the selinux_init() called from every event process
>> to the single main daemon init? I don't know how expensive that is,
>> nor do I know if selinux is fine with that, but if we can make that
>> faster it would be better...
>>     
>
> The expensive part of selinux_init is matchpathcon_init, but that should
> be somewhat alleviated by the introduction of matchpathcon_init_prefix
> so that only the necessary file_contexts entries are processed and the
> libselinux changes to perform lazy canonicalization of the security
> contexts.
>
> The matchpathcon_init has to be done in the process that performs the
> subsequent matchpathcon calls, as it populates an in-memory data
> structure used by matchpathcon.  Conceivably, both the
> matchpathcon_init_prefix and the later matchpathcon calls could be done
> in the parent daemon and the children could receive the appropriate
> context info from the parent via a pipe or commandline argument, but
> someone would have to work out the details there.
>
> The rest of selinux_init is just saving the old file creation context
> (if one was previously set) so that it can be restored later.  In
> practice, I suspect that this is always NULL for udev, and we could
> "optimize" this away, but it is safer to always save-and-restore it, and
> that isn't the expensive part.
>
>   
>> And the get_media() in udev_selinux.c for every block device seems
>> a bit weird. Do you know if this really needed? What about scsi then?
>> I've added the IDE stuff to sysfs in 2.6.15, so we should at least
>> use the file there...
>>     
>
> Not sure - I'll defer to Dan on this.
>
>   
How about if we changed the call to
        if ( mode & S_IFBLK ) {
            media = get_media(devname, mode);
            if (media) {
                ret = matchmediacon(media, &scontext);
                free(media);
            }
        }

More information about the fedora-selinux-list mailing list