Re: labelling /sys/kernel/debug aka debugfs

2016-10-12 Thread Stephen Smalley
On 10/12/2016 11:51 AM, Roberts, William C wrote: > If Bin is using our N tree, then all the stuff for debugfs are exact > matches: > > > > /sys/kernel/debug/sync u:object_r:debugfs_graphics_sync:s0 > > /sys/kernel/debug/dri/0/i915_frequency_info u:object_r:debugfs_graphics:s0 > >

RE: labelling /sys/kernel/debug aka debugfs

2016-10-12 Thread Roberts, William C
If Bin is using our N tree, then all the stuff for debugfs are exact matches: /sys/kernel/debug/sync u:object_r:debugfs_graphics_sync:s0 /sys/kernel/debug/dri/0/i915_frequency_info u:object_r:debugfs_graphics:s0 /sys/kernel/debug/pstate_snb/setpoint u:object_r:debugfs_pstate:s0 Bin, can you

RE: labelling /sys/kernel/debug aka debugfs

2016-10-12 Thread Roberts, William C
> -Original Message- > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > Sent: Wednesday, October 12, 2016 9:37 AM > To: Roberts, William C ; 'seandroid- > l...@tycho.nsa.gov' > Cc: Yang, Bin Y >

Re: labelling /sys/kernel/debug aka debugfs

2016-10-12 Thread Stephen Smalley
On 10/12/2016 09:36 AM, Stephen Smalley wrote: > On 10/12/2016 09:24 AM, Roberts, William C wrote: >> It’s been reported that labelling via restorecon_recursive >> /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a >> thought: >> >> >> >> It looks like genfscon per file

Re: labelling /sys/kernel/debug aka debugfs

2016-10-12 Thread Stephen Smalley
On 10/12/2016 09:24 AM, Roberts, William C wrote: > It’s been reported that labelling via restorecon_recursive > /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a > thought: > > > > It looks like genfscon per file labeling is supported by selinux (like > procfs), on linux

labelling /sys/kernel/debug aka debugfs

2016-10-12 Thread Roberts, William C
It's been reported that labelling via restorecon_recursive /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a thought: It looks like genfscon per file labeling is supported by selinux (like procfs), on linux master branch, I see: selinux_set_mnt_opts(): 815 if

Re: can't reload sepolicy

2016-10-12 Thread Stephen Smalley
On 10/12/2016 05:57 AM, peng fei wrote: > I want to modify sepolicy and verify it. > > First, > > I download the android4.4.4 sepolicy, and modify file.te and > file_context, add a new type sec_file. > #/data/audit > type sec_file, file_type, data_file_type; > /data/audit(/.*)?

can't reload sepolicy

2016-10-12 Thread peng fei
I want to modify sepolicy and verify it. First, I download the android4.4.4 sepolicy, and modify file.te and file_context, add a new type sec_file. #/data/audit type sec_file, file_type, data_file_type; /data/audit(/.*)? u:object_r:sec_file:s0 -- Second,compile policy. m4 -D