> -----Original Message-----
> From: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> Sent: Wednesday, October 12, 2016 9:37 AM
> To: Roberts, William C <william.c.robe...@intel.com>; 'seandroid-
> l...@tycho.nsa.gov' <firstname.lastname@example.org>
> Cc: Yang, Bin Y <bin.y.y...@intel.com>
> Subject: Re: labelling /sys/kernel/debug aka debugfs
> On 10/12/2016 09:24 AM, Roberts, William C wrote:
> > It’s been reported that labelling via restorecon_recursive
> > /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a
> > thought:
> > It looks like genfscon per file labeling is supported by selinux (like
> > procfs), on linux master branch, I see:
> > selinux_set_mnt_opts():
> > <snip>
> > 815 if (!strcmp(sb->s_type->name, "debugfs") ||
> > 816 !strcmp(sb->s_type->name, "sysfs") ||
> > 817 !strcmp(sb->s_type->name, "pstore"))
> > 818 sbsec->flags |= SE_SBGENFS;
> > <snip>
> > Would using genfscon statements and removing the restorecon_recursive
> > be faster since it avoids the tree walk? Any caveats, issues one can think
> > of?
> First, I'd be interested in understanding why that is taking so long, and
> with time on restorecon_recursive /sys (performed directly by init).
> The SE for Android todo list does suggest investigating this for replacing the
> restorecon_recursive /sys, so it would make sense to investigate it for both.
> does require that the device kernel include the necessary support. As noted in
> https://android-review.googlesource.com/#/c/151776/, you are also limited in
> that genfscon only supports pathname prefix matching, not regexes.
I don't see any uses where the lack of regex support would be a problem.
I'll see if Bin, the reporter, can collect more stats for us, Yang could you
Seandroid-list mailing list
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to