Wow! Thank you very much, I was completely unaware of this feature. I did not read any documentation of it on selinuxproject.org or in The SELinux Notebook v4 about it.
I got it working via genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1 One small issue arises for me: I tried to set up the directory '/sys/kernel/debug/tracing' via 'genfscon sysfs /kernel/debug/tracing gen_context(system_u:object_r:tracefs_t,s0)' but is it still labeled initially system_u:object_r:debugfs_t:s0 after boot but seems to change on the first access? Example pattern: [...] boot + ssh login root@debianSE:~# restorecon -v -R -n / Warning no default label for /dev/mqueue Warning no default label for /dev/pts/0 Warning no default label for /tmp/.font-unix Warning no default label for /tmp/.XIM-unix Warning no default label for /tmp/.X11-unix Warning no default label for /tmp/.Test-unix Warning no default label for /tmp/.ICE-unix Would relabel /sys/kernel/debug/tracing from system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0 root@debianSE:~# restorecon -v -R -n / Warning no default label for /dev/mqueue Warning no default label for /dev/pts/0 Warning no default label for /tmp/.font-unix Warning no default label for /tmp/.XIM-unix Warning no default label for /tmp/.X11-unix Warning no default label for /tmp/.Test-unix Warning no default label for /tmp/.ICE-unix Why? I think otherwise this bug can be reassigned to refpolicy. Thanks again Dominick Kindly Regards, Christian Göttsche P.s.: The kernel patch is over here: https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd (might be Linux 4.2? plenty enough for me) 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: > On 12/30/2016 10:51 PM, cgzones wrote: >> But isn't genfscon with subcontexts only available on the /proc filesystem? > > If your kernel is not too old, then it also work for sysfs > >> >> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >>> wrote: >>>> reassign 849637 policycoreutils >>>> thanks >>>> >>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote: >>>> >>>> > When running a SELinux enabled system /sys/devices/system/cpu/online >>>> > is mislabeled after boot: >>>> > >>>> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >>>> > Would relabel /sys/devices/system/cpu/online from >>>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >>>> >>>> Not sure why this is assigned to systemd as this is not created by systemd. >>>> >>>> It's working with sysvinit because the selinux-autorelabel LSB >>>> initscript is explicitly relabeling it during boot. >>>> >>>> Under systemd, that initscript is masked by the >>>> selinux-autorelabel.service. >>>> >>>> I was planning to add a tmpfiles for this, but apparently I forgot about >>>> it. >>>> >>>> Reassigning to policycoreutils >>>> >>>> Laurent Bigonville >>> >>> you should be able to add a genfscon() in policy for this, provided that >>> the kernel is not too old to support that feature >>> >>> I would avoid the alternative if possible >>>> >>>> >>> >>> -- >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>> Dominick Grift >>> >>> >>> _______________________________________________ >>> SELinux-devel mailing list >>> SELinux-devel@lists.alioth.debian.org >>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > _______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel