[DSE-Dev] ifupdown & SE Linux
Václav Ovsík
vaclav.ovsik at i.cz
Wed Sep 17 14:24:47 UTC 2008
Hi,
I installed one sid/lenny virtual from scratch just now and noticed
already by me forgotten problems with ifupdown & SE Linux. I have fixed
this locally on my test machine before.
The first problem is with ifstate file & its parent run directory, that
is created directly in /etc/network/, witch is outstanding bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=344780
(Maybe is not /dev/shm ready in early install stage?)
This can be fixed on installed system by removing directory
/etc/network/run and creating link
/etc/network/run -> /dev/shm/network
For correct SE Linux context of /dev/shm/network & ifstate
a modification of init script is needed:
--- /etc/init.d/ifupdown.orig 2006-09-15 20:03:19.000000000 +0200
+++ /etc/init.d/ifupdown 2008-09-17 15:09:17.000000000 +0200
@@ -77,6 +77,7 @@
log_end_msg 1
exit 1
fi
+ test ! -x /sbin/restorecon || /sbin/restorecon "$runmkdir"
fi
# Create the state file
Other option is a complete solution: move to /var/run and /var/run mount
into RAM like Ubuntu does... to lower divergence between ifupdown on
Debian & Ubuntu.
I found a big thread about /var/run in the past
http://lists.debian.org/debian-devel/2006/09/thrd2.html#00494
Probably not solution before Lenny?
The second problem for SE Linux is, that interfaces with allow-hotplug
are brought up through udevd. That means, network scripts are run under
udev_t domain. This can be fixed by changing `allow-hotplug' to `auto'
for now. I have started to write domain ifupdown_t some time ago, but
I have stucked on changing ifupdown package, not certain the way it
should go. Policy module ifupdown can be completed with file context
defined for both locations /var/run/network and /dev/shm/network
nevertheless I think. Should I try to complete the ifupdown module?
What you think about it?
Please comment this.
Regards.
--
Zito
More information about the SELinux-devel
mailing list