Russell Coker writes:
> On Wed, 6 Mar 2002 17:39, Richard Gooch wrote:
> > > > I have hacked support for SE Linux into devfsd.
> > >
> > > I have found one problem with my current code. devfsd wants to
> > > re-apply it's permissions to device nodes whenever it's restarted
> > > and whenever you do "killall -1 devfsd" to tell it to reload it's
> > > config.
> >
> > I'm open to (clean) suggestions on what to do about this. Perhaps a
> > separate signal to reload the config file but don't generate the
> > synthetic events?
>
> Sounds reasonable.
OK. How about SIGUSR1? If you have a better signal, let me know.
> > But before I make such a change, tell me why you're reloading the
> > config file, but don't want to change permissions? Normally, you just
> > send SIGHUP when /var is mounted (if that's where your permissions
> > have been saved).
>
> If you decide to change your policy or add support for some type of
> device node that was not previously supported then you have to
> reload the config.
>
> Changing the policy does not necessarily require that existing permissions
> need to be changed.
Fair enough.
> > > Also this is not an issue that is restricted to SE Linux. Currently
> > > if I run "killall -1 devfsd" it will be equivalent to "mesg n" for
> > > all users!
> >
> > But in general devfsd should be configured to *not* touch permissions
> > for PTY's, so this shouldn't be a problem. What are you doing?
>
> The following is in my devfsd.conf to change the group of the pts
> devices to group tty:
> REGISTER ^pts/.* PERMISSIONS -1.tty 0600
>
> Is there any better way to do this?
That's fine. In fact, this is sufficient:
REGISTER ^pts/ PERMISSIONS -1.tty 0600
and is actually the same, since "pts/" matches ^pts/.* and may be more
efficient than having the trailing .* in the regexp.
Regards,
Richard....
Permanent: rgooch@xxxxxxxxxxxxx
Current: rgooch@xxxxxxxxxxxxxxx
|