On 12/30/2016 10:51 PM, cgzones wrote: > But isn't genfscon with subcontexts only available on the /proc filesystem?
If your kernel is not too old, then it also work for sysfs > > 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >> wrote: >>> reassign 849637 policycoreutils >>> thanks >>> >>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote: >>> >>> > When running a SELinux enabled system /sys/devices/system/cpu/online >>> > is mislabeled after boot: >>> > >>> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >>> > Would relabel /sys/devices/system/cpu/online from >>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >>> >>> Not sure why this is assigned to systemd as this is not created by systemd. >>> >>> It's working with sysvinit because the selinux-autorelabel LSB >>> initscript is explicitly relabeling it during boot. >>> >>> Under systemd, that initscript is masked by the selinux-autorelabel.service. >>> >>> I was planning to add a tmpfiles for this, but apparently I forgot about it. >>> >>> Reassigning to policycoreutils >>> >>> Laurent Bigonville >> >> you should be able to add a genfscon() in policy for this, provided that >> the kernel is not too old to support that feature >> >> I would avoid the alternative if possible >>> >>> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> >> >> _______________________________________________ >> SELinux-devel mailing list >> selinux-de...@lists.alioth.debian.org >> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: OpenPGP digital signature