On 12/31/2016 12:38 PM, Dominick Grift wrote: > On 12/31/2016 11:34 AM, cgzones wrote: >> Wow! >> >> Thank you very much, I was completely unaware of this feature. >> I did not read any documentation of it on selinuxproject.org or in The >> SELinux Notebook v4 about it. >> >> I got it working via >> >> genfscon sysfs /devices/system/cpu/online >> gen_context(system_u:object_r:cpu_online_t,s0) >> >> at >> https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1 >> >> One small issue arises for me: >> I tried to set up the directory '/sys/kernel/debug/tracing' via >> 'genfscon sysfs /kernel/debug/tracing >> gen_context(system_u:object_r:tracefs_t,s0)' >> but is it still labeled initially system_u:object_r:debugfs_t:s0 after >> boot but seems to change on the first access? > > you need a genfscon for tracefs, it is mounted on the > kernel/debug/tracing dir > > genfscon tracefs / gen_context()
Also a word of advice: don't add any fc specs for anything under /sys The stuff in there are not files (its a pseudo fs like /proc and proc also doesnt have fc specs) > >> >> Example pattern: >> >> [...] boot + ssh login >> root@debianSE:~# restorecon -v -R -n / >> Warning no default label for /dev/mqueue >> Warning no default label for /dev/pts/0 >> Warning no default label for /tmp/.font-unix >> Warning no default label for /tmp/.XIM-unix >> Warning no default label for /tmp/.X11-unix >> Warning no default label for /tmp/.Test-unix >> Warning no default label for /tmp/.ICE-unix >> Would relabel /sys/kernel/debug/tracing from >> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0 >> root@debianSE:~# restorecon -v -R -n / >> Warning no default label for /dev/mqueue >> Warning no default label for /dev/pts/0 >> Warning no default label for /tmp/.font-unix >> Warning no default label for /tmp/.XIM-unix >> Warning no default label for /tmp/.X11-unix >> Warning no default label for /tmp/.Test-unix >> Warning no default label for /tmp/.ICE-unix >> >> Why? >> >> I think otherwise this bug can be reassigned to refpolicy. >> >> Thanks again Dominick >> Kindly Regards, >> Christian Göttsche >> >> P.s.: >> The kernel patch is over here: >> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd >> (might be Linux 4.2? plenty enough for me) >> >> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>> On 12/30/2016 10:51 PM, cgzones wrote: >>>> But isn't genfscon with subcontexts only available on the /proc filesystem? >>> >>> If your kernel is not too old, then it also work for sysfs >>> >>>> >>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >>>>> wrote: >>>>>> reassign 849637 policycoreutils >>>>>> thanks >>>>>> >>>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> >>>>>> wrote: >>>>>> >>>>>> > When running a SELinux enabled system /sys/devices/system/cpu/online >>>>>> > is mislabeled after boot: >>>>>> > >>>>>> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >>>>>> > Would relabel /sys/devices/system/cpu/online from >>>>>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >>>>>> >>>>>> Not sure why this is assigned to systemd as this is not created by >>>>>> systemd. >>>>>> >>>>>> It's working with sysvinit because the selinux-autorelabel LSB >>>>>> initscript is explicitly relabeling it during boot. >>>>>> >>>>>> Under systemd, that initscript is masked by the >>>>>> selinux-autorelabel.service. >>>>>> >>>>>> I was planning to add a tmpfiles for this, but apparently I forgot about >>>>>> it. >>>>>> >>>>>> Reassigning to policycoreutils >>>>>> >>>>>> Laurent Bigonville >>>>> >>>>> you should be able to add a genfscon() in policy for this, provided that >>>>> the kernel is not too old to support that feature >>>>> >>>>> I would avoid the alternative if possible >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>>> Dominick Grift >>>>> >>>>> >>>>> _______________________________________________ >>>>> SELinux-devel mailing list >>>>> selinux-de...@lists.alioth.debian.org >>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel >>> >>> >>> -- >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>> Dominick Grift >>> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: OpenPGP digital signature
