On 12/31/2016 12:41 PM, Dominick Grift wrote: > On 12/31/2016 12:38 PM, Dominick Grift wrote: >> On 12/31/2016 11:34 AM, cgzones wrote: >>> Wow! >>> >>> Thank you very much, I was completely unaware of this feature. >>> I did not read any documentation of it on selinuxproject.org or in The >>> SELinux Notebook v4 about it. >>> >>> I got it working via >>> >>> genfscon sysfs /devices/system/cpu/online >>> gen_context(system_u:object_r:cpu_online_t,s0) >>> >>> at >>> https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1 >>> >>> One small issue arises for me: >>> I tried to set up the directory '/sys/kernel/debug/tracing' via >>> 'genfscon sysfs /kernel/debug/tracing >>> gen_context(system_u:object_r:tracefs_t,s0)' >>> but is it still labeled initially system_u:object_r:debugfs_t:s0 after >>> boot but seems to change on the first access?
I misread, yes i think tracefs is mounted on demand. But this should not be problem because users of tracefs need to be able to traverse debugfs anyway. >> >> you need a genfscon for tracefs, it is mounted on the >> kernel/debug/tracing dir >> >> genfscon tracefs / gen_context() > > Also a word of advice: don't add any fc specs for anything under /sys > > The stuff in there are not files (its a pseudo fs like /proc and proc > also doesnt have fc specs) > >> >>> >>> Example pattern: >>> >>> [...] boot + ssh login >>> root@debianSE:~# restorecon -v -R -n / >>> Warning no default label for /dev/mqueue >>> Warning no default label for /dev/pts/0 >>> Warning no default label for /tmp/.font-unix >>> Warning no default label for /tmp/.XIM-unix >>> Warning no default label for /tmp/.X11-unix >>> Warning no default label for /tmp/.Test-unix >>> Warning no default label for /tmp/.ICE-unix >>> Would relabel /sys/kernel/debug/tracing from >>> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0 >>> root@debianSE:~# restorecon -v -R -n / >>> Warning no default label for /dev/mqueue >>> Warning no default label for /dev/pts/0 >>> Warning no default label for /tmp/.font-unix >>> Warning no default label for /tmp/.XIM-unix >>> Warning no default label for /tmp/.X11-unix >>> Warning no default label for /tmp/.Test-unix >>> Warning no default label for /tmp/.ICE-unix >>> >>> Why? >>> >>> I think otherwise this bug can be reassigned to refpolicy. >>> >>> Thanks again Dominick >>> Kindly Regards, >>> Christian Göttsche >>> >>> P.s.: >>> The kernel patch is over here: >>> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd >>> (might be Linux 4.2? plenty enough for me) >>> >>> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>>> On 12/30/2016 10:51 PM, cgzones wrote: >>>>> But isn't genfscon with subcontexts only available on the /proc >>>>> filesystem? >>>> >>>> If your kernel is not too old, then it also work for sysfs >>>> >>>>> >>>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >>>>>> wrote: >>>>>>> reassign 849637 policycoreutils >>>>>>> thanks >>>>>>> >>>>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> >>>>>>> wrote: >>>>>>> >>>>>>> > When running a SELinux enabled system /sys/devices/system/cpu/online >>>>>>> > is mislabeled after boot: >>>>>>> > >>>>>>> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >>>>>>> > Would relabel /sys/devices/system/cpu/online from >>>>>>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >>>>>>> >>>>>>> Not sure why this is assigned to systemd as this is not created by >>>>>>> systemd. >>>>>>> >>>>>>> It's working with sysvinit because the selinux-autorelabel LSB >>>>>>> initscript is explicitly relabeling it during boot. >>>>>>> >>>>>>> Under systemd, that initscript is masked by the >>>>>>> selinux-autorelabel.service. >>>>>>> >>>>>>> I was planning to add a tmpfiles for this, but apparently I forgot >>>>>>> about it. >>>>>>> >>>>>>> Reassigning to policycoreutils >>>>>>> >>>>>>> Laurent Bigonville >>>>>> >>>>>> you should be able to add a genfscon() in policy for this, provided that >>>>>> the kernel is not too old to support that feature >>>>>> >>>>>> I would avoid the alternative if possible >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>>>> Dominick Grift >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> SELinux-devel mailing list >>>>>> selinux-de...@lists.alioth.debian.org >>>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel >>>> >>>> >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>>> >> >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: OpenPGP digital signature