On Sun, Sep 19, 2010 at 11:40:37PM +1000, Russell Coker wrote: > On Sun, 19 Sep 2010, Bastian Blank <wa...@debian.org> wrote: > > On Sun, Sep 19, 2010 at 10:45:06PM +1000, Russell Coker wrote: > > > The reason is that the module load causes the kernel to create device > > > nodes in the devtmpfs. This bypasses the udev code for labelling the > > > device node and results in xenstored being unable to access > > > /dev/xen/evtchn and therefore not working. > > No, it does not. The code to create devices in libxc was removed. > What is libxc?
The core xen library interface. It used to create devices on its own. Please check if there is still a mknod permission for Xen related parts in the selinux policy. > The kernel creates the device node /dev/xen/evtchn, the creation process > bypasses even the kernel auditing layer because it's in the kernel. > http://marc.info/?t=128295019200002&r=1&w=2 > The above URL has a link to some of the discussion of this issue by Red Hat > people. They are working on a nicer solution, but we can't do that for > Squeeze. My interpretation is: udev needs to change the context for already existing files the same way it does with the DAC permissions. udev _still_ gets it hands on the devices, otherwise all the permissions would be wrong. > > > But for Squeeze it would be good if this could get included. It's one > > > line of shell code that results in nothing being done if policycoreutils > > > is not installed. I can't imagine any way that such a change could > > > break anything. > > You want do change a undefined number of packages? > I want to change every package that has a confined daemon which has a startup > script that loads a kernel module which creates a devtmpfs node rather than > just allowing udev to do it. If selinux can't cope with devtmpfs, don't use it. > I don't think that will be many packages. As you don't seem to know that, please discuss that under mass-bugfilling rules. Also yoo have to discuss that with the release team, we are in deep freeze right now. Bastian -- Vulcans never bluff. -- Spock, "The Doomsday Machine", stardate 4202.1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
