Would applying a different label at build time to specific entities under /proc work? We already do this for various default entries (look in external/sepolicy/genfs_contexts). For instance:
genfscon proc / u:object_r:proc:s0 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 genfscon proc /sysrq-trigger u:object_r:sysrq_proc:s0 On Fri, Jul 5, 2013 at 11:07 PM, William Roberts <[email protected]>wrote: > Chcon won’t work, as ‘a’ is from proc … it’s not that big of a deal, but > it would be nice.**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Robert Craig > *Sent:* Friday, July 05, 2013 1:40 PM > *To:* William Roberts > *Cc:* [email protected] > *Subject:* Re: bind mount ignoring context opton**** > > ** ** > > > I was initially trying to bind mount stuff out of /proc and apply a > separate label to it, and it didn't work. Any idea on how to bind mount a > file, from /proc/<pid> (no xattr support) and provide a separate label for > the entity?**** > > > Since the bind mount will allow you to have the directory/filesystem > accessible from both mount points at the same time, would it make sense to > have two different labels? Maybe you could:**** > > ** ** > > chcon u:object_r:mqueue:s0 a**** > > mount -o bind a b**** > > ** ** > > ** ** > > **** > > -- > Respectfully, > > William C Roberts**** > > ** ** >
