On 08/27/2014 04:54 AM, Lennart Poettering wrote: > On Tue, 26.08.14 21:52, Lennart Poettering ([email protected]) wrote: > >> >> On Thu, 21.08.14 12:58, WaLyong Cho ([email protected]) wrote: >> >>> If selinux is disabled and smack is only enabled, smack label is >>> relable-ed by label_fix. To avoid, make only be labeled for selinux. >>> --- >>> src/udev/udev-node.c | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c >>> index 6a9788b..00ade2c 100644 >>> --- a/src/udev/udev-node.c >>> +++ b/src/udev/udev-node.c >>> @@ -314,8 +314,8 @@ static int node_permissions_apply(struct udev_device >>> *dev, bool apply, >>> } >>> >>> /* set the defaults */ >>> - if (!selinux) >>> - label_fix(devnode, true, false); >>> + if (!selinux && use_selinux()) >>> + mac_selinux_fix(devnode, true, false); >> >> Shouldn't mac_selinux_fix() simply become a NOP returning ENOTSUP if >> selinux is disabled? Then, we can just invoke it here always, with no ill >> effects... > > Or actually, it shouldn't even return ENOTSUP, but simply 0... that's at > least how the rest of the selinux code currently appears to work if > selinux is off...
Yes, right. And I just focused on SMACK only enabled case. In that case, the path is re-labeled again by label_fix what include also mac_smack_relabel_in_dev. Therefore the path was labeled twice. The first was labeled correctly by mac_smack_path and the second was labeled by mac_smack_relabel_in_dev. So all of /dev nodes were labeled "*" or "_". So I made do only for selinux on there. Is there any points should be modified? >> >>> if (!smack) >>> mac_smack_path(devnode, NULL); >>> } >> >> >> Lennart >> > > > Lennart > WaLyong _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
