Re: Labeling sysfs files

2017-10-03 Thread David Graziano 
On Tue, Oct 3, 2017 at 7:58 AM, Stephen Smalley  wrote:
> On Mon, 2017-10-02 at 16:54 -0500, David Graziano wrote:
>> I'm trying to find a way of labeling specific files/directories in
>> sysfs that do not exist at boot time. I'm running an embedded SELinux
>> enabled system (4.1 series kernel) where at boot there is an init
>> script performing a restorecon on /sys.  Sometime later a usb
>> cellular
>> modem is powered on and enumerated at which point the it's sysfs
>> sub-directory structure is added.
>>
>> This directory path is correctly getting my custom label via
>> restorecon during boot
>> /sys/devices/platform///fsl-ehci.0/usb1/
>>
>> After the cellular modem is powered on the following directory
>> structure is created.
>> /sys/devices/platform///fsl-ehci.0/usb1/1-1/1-
>> 1:1.10/net/wwan1/qmi
>> Everything "1-1" and lower that is getting the "default" sysfs_t
>> label.
>>
>> Is there a method of labeling that newly added sub-directory
>> structure
>> other than running restorecond or restorecon again? I specifically
>> need to control access to the "qmi" file. I've tried adding a
>> genfscon
>> to the policy but it doesn't seem to work although I don't know if
>> it's suppose to.
>>
>> Any advice would be appreciated.
>
> You could cherry-pick kernel commits
> 134509d54e4e9be2697a92cb4b48957b792b and
> 8e01472078763ebc1eaea089a1adab75dd982ccd to gain support for genfscon
> labeling of sysfs entries.  Looks like they apply ok on 4.1, although I
> haven't built or tested that. I think that's your best option.
>

Thanks for the info. I will try cherry-picking those commits.
- David

Re: Labeling sysfs files

2017-10-03 Thread Stephen Smalley 
On Mon, 2017-10-02 at 16:54 -0500, David Graziano wrote:
> I'm trying to find a way of labeling specific files/directories in
> sysfs that do not exist at boot time. I'm running an embedded SELinux
> enabled system (4.1 series kernel) where at boot there is an init
> script performing a restorecon on /sys.  Sometime later a usb
> cellular
> modem is powered on and enumerated at which point the it's sysfs
> sub-directory structure is added.
> 
> This directory path is correctly getting my custom label via
> restorecon during boot
> /sys/devices/platform///fsl-ehci.0/usb1/
> 
> After the cellular modem is powered on the following directory
> structure is created.
> /sys/devices/platform///fsl-ehci.0/usb1/1-1/1-
> 1:1.10/net/wwan1/qmi
> Everything "1-1" and lower that is getting the "default" sysfs_t
> label.
> 
> Is there a method of labeling that newly added sub-directory
> structure
> other than running restorecond or restorecon again? I specifically
> need to control access to the "qmi" file. I've tried adding a
> genfscon
> to the policy but it doesn't seem to work although I don't know if
> it's suppose to.
> 
> Any advice would be appreciated.

You could cherry-pick kernel commits
134509d54e4e9be2697a92cb4b48957b792b and
8e01472078763ebc1eaea089a1adab75dd982ccd to gain support for genfscon
labeling of sysfs entries.  Looks like they apply ok on 4.1, although I
haven't built or tested that. I think that's your best option.

Re: Labeling sysfs files

2017-10-02 Thread William Roberts 
On Mon, Oct 2, 2017 at 2:54 PM, David Graziano
 wrote:
> I'm trying to find a way of labeling specific files/directories in
> sysfs that do not exist at boot time. I'm running an embedded SELinux
> enabled system (4.1 series kernel) where at boot there is an init
> script performing a restorecon on /sys.  Sometime later a usb cellular
> modem is powered on and enumerated at which point the it's sysfs
> sub-directory structure is added.
>
> This directory path is correctly getting my custom label via
> restorecon during boot
> /sys/devices/platform///fsl-ehci.0/usb1/
>
> After the cellular modem is powered on the following directory
> structure is created.
> /sys/devices/platform///fsl-ehci.0/usb1/1-1/1-1:1.10/net/wwan1/qmi
> Everything "1-1" and lower that is getting the "default" sysfs_t label.
>
> Is there a method of labeling that newly added sub-directory structure
> other than running restorecond or restorecon again? I specifically
> need to control access to the "qmi" file. I've tried adding a genfscon
> to the policy but it doesn't seem to work although I don't know if
> it's suppose to.
>
> Any advice would be appreciated.
>

Because of sysfs's dynamic nature, labeling is hard, as you found out.
We have these
issues on Android as well. The best solution for us was to use/add
genfscon support:
http://permalink.gmane.org/gmane.linux.kernel.commits.head/535516

But that patch looks like it won't apply to 4.1 as none of the
SB_GENFS infrastructure
is there.

You'd have to call the restorecon in a part where the file exists but
before any clients
start using it. Perhaps you could register something via inotify (I
don't know offhand
if that works on sysfs).

If it's a service, maybe you could have the service run/trigger the
restorecon on starup,
perhaps vis init/systemd scripts.

Or perhaps you can get on a newer kernel, looks like 4.4 has it:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/security/selinux/hooks.c?h=v4.4.89#n742

Labeling sysfs files

2017-10-02 Thread David Graziano 
I'm trying to find a way of labeling specific files/directories in
sysfs that do not exist at boot time. I'm running an embedded SELinux
enabled system (4.1 series kernel) where at boot there is an init
script performing a restorecon on /sys.  Sometime later a usb cellular
modem is powered on and enumerated at which point the it's sysfs
sub-directory structure is added.

This directory path is correctly getting my custom label via
restorecon during boot
/sys/devices/platform///fsl-ehci.0/usb1/

After the cellular modem is powered on the following directory
structure is created.
/sys/devices/platform///fsl-ehci.0/usb1/1-1/1-1:1.10/net/wwan1/qmi
Everything "1-1" and lower that is getting the "default" sysfs_t label.

Is there a method of labeling that newly added sub-directory structure
other than running restorecond or restorecon again? I specifically
need to control access to the "qmi" file. I've tried adding a genfscon
to the policy but it doesn't seem to work although I don't know if
it's suppose to.

Any advice would be appreciated.