I thought about this, but nothing currently does per pid files... ie /proc/123/X /proc/124/X ...
perhaps a label of /proc/self/X is sufficient... But that would imply labels are determined at inode lookup, and I thought the resolution happened on mount Bill On Sat, Jul 6, 2013 at 8:46 AM, Robert Craig <[email protected]> wrote: > Would applying a different label at build time to specific entities under > /proc work? We already do this for various default entries (look in > external/sepolicy/genfs_contexts). For instance: > > genfscon proc / u:object_r:proc:s0 > genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 > genfscon proc /sysrq-trigger u:object_r:sysrq_proc:s0 > > > > On Fri, Jul 5, 2013 at 11:07 PM, William Roberts <[email protected]>wrote: > >> Chcon won’t work, as ‘a’ is from proc … it’s not that big of a deal, >> but it would be nice.**** >> >> ** ** >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Robert Craig >> *Sent:* Friday, July 05, 2013 1:40 PM >> *To:* William Roberts >> *Cc:* [email protected] >> *Subject:* Re: bind mount ignoring context opton**** >> >> ** ** >> >> > I was initially trying to bind mount stuff out of /proc and apply a >> separate label to it, and it didn't work. Any idea on how to bind mount a >> file, from /proc/<pid> (no xattr support) and provide a separate label for >> the entity?**** >> >> >> Since the bind mount will allow you to have the directory/filesystem >> accessible from both mount points at the same time, would it make sense to >> have two different labels? Maybe you could:**** >> >> ** ** >> >> chcon u:object_r:mqueue:s0 a**** >> >> mount -o bind a b**** >> >> ** ** >> >> ** ** >> >> **** >> >> -- >> Respectfully, >> >> William C Roberts**** >> >> ** ** >> > > -- Respectfully, William C Roberts
