On 12/31/2016 11:34 AM, cgzones wrote: > Wow! > > Thank you very much, I was completely unaware of this feature. > I did not read any documentation of it on selinuxproject.org or in The > SELinux Notebook v4 about it. > > I got it working via > > genfscon sysfs /devices/system/cpu/online > gen_context(system_u:object_r:cpu_online_t,s0) > > at > https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1 > > One small issue arises for me: > I tried to set up the directory '/sys/kernel/debug/tracing' via > 'genfscon sysfs /kernel/debug/tracing > gen_context(system_u:object_r:tracefs_t,s0)' > but is it still labeled initially system_u:object_r:debugfs_t:s0 after > boot but seems to change on the first access?
you need a genfscon for tracefs, it is mounted on the kernel/debug/tracing dir genfscon tracefs / gen_context() > > Example pattern: > > [...] boot + ssh login > root@debianSE:~# restorecon -v -R -n / > Warning no default label for /dev/mqueue > Warning no default label for /dev/pts/0 > Warning no default label for /tmp/.font-unix > Warning no default label for /tmp/.XIM-unix > Warning no default label for /tmp/.X11-unix > Warning no default label for /tmp/.Test-unix > Warning no default label for /tmp/.ICE-unix > Would relabel /sys/kernel/debug/tracing from > system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0 > root@debianSE:~# restorecon -v -R -n / > Warning no default label for /dev/mqueue > Warning no default label for /dev/pts/0 > Warning no default label for /tmp/.font-unix > Warning no default label for /tmp/.XIM-unix > Warning no default label for /tmp/.X11-unix > Warning no default label for /tmp/.Test-unix > Warning no default label for /tmp/.ICE-unix > > Why? > > I think otherwise this bug can be reassigned to refpolicy. > > Thanks again Dominick > Kindly Regards, > Christian Göttsche > > P.s.: > The kernel patch is over here: > https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd > (might be Linux 4.2? plenty enough for me) > > 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >> On 12/30/2016 10:51 PM, cgzones wrote: >>> But isn't genfscon with subcontexts only available on the /proc filesystem? >> >> If your kernel is not too old, then it also work for sysfs >> >>> >>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.overr...@gmail.com>: >>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bi...@debian.org> >>>> wrote: >>>>> reassign 849637 policycoreutils >>>>> thanks >>>>> >>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzo...@googlemail.com> wrote: >>>>> >>>>> > When running a SELinux enabled system /sys/devices/system/cpu/online >>>>> > is mislabeled after boot: >>>>> > >>>>> > root@test1:/root/selinux/policy# restorecon -vv -R -F -n /sys >>>>> > Would relabel /sys/devices/system/cpu/online from >>>>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0 >>>>> >>>>> Not sure why this is assigned to systemd as this is not created by >>>>> systemd. >>>>> >>>>> It's working with sysvinit because the selinux-autorelabel LSB >>>>> initscript is explicitly relabeling it during boot. >>>>> >>>>> Under systemd, that initscript is masked by the >>>>> selinux-autorelabel.service. >>>>> >>>>> I was planning to add a tmpfiles for this, but apparently I forgot about >>>>> it. >>>>> >>>>> Reassigning to policycoreutils >>>>> >>>>> Laurent Bigonville >>>> >>>> you should be able to add a genfscon() in policy for this, provided that >>>> the kernel is not too old to support that feature >>>> >>>> I would avoid the alternative if possible >>>>> >>>>> >>>> >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>>> >>>> >>>> _______________________________________________ >>>> SELinux-devel mailing list >>>> selinux-de...@lists.alioth.debian.org >>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: OpenPGP digital signature
