I was forgetting that ueventd and watchdogd are just symlinks back to init, not sure what the best approach is for them. Perhaps we could compute the "seclabel" implicitly from the linkfile label and setexecon() based on that.
On Sat, Jun 6, 2015 at 9:56 AM, William Roberts <[email protected]> wrote: > Sounds good to me its in the queue > On Jun 6, 2015 7:29 AM, "Nick Kralevich" <[email protected]> wrote: > >> We got side tracked in this discussion slightly. >> >> Going back to your original question: I would accept Android patches >> which added a restorecon_recursive("/sbin") in init.cpp and the >> corresponding SELinux policy changes. It's not the ideal solution, but it >> seems reasonable and is a building block to something better. >> >> -- Nick >> >> On Tue, Jun 2, 2015 at 3:34 PM, Roberts, William C < >> [email protected]> wrote: >> >>> That would be pretty great if that went forward, and is definitely the >>> ideal implementation. I’m just seeing people throwing these seclabel >>> statements into their init.rc without understanding why. Considering what’s >>> already being restorecon’d a simple restore on /sbin would be unnoticeable, >>> and self-contained and would allow for the drop of seclabel, and once >>> proper support came about for rootfs labels at build time (which could be >>> awhile considering the tooling impact) a simple one line delete in init.cpp >>> would be all that is needed. >>> >>> >>> >>> This would also have the side effect of preventing the policy from being >>> hardcoded and scattered outside of the sepolicy directory. Just my two >>> cents. >>> >>> >>> >>> Bill >>> >>> >>> >>> *From:* Nick Kralevich [mailto:[email protected]] >>> *Sent:* Tuesday, June 2, 2015 3:13 PM >>> *To:* Roberts, William C >>> *Cc:* [email protected] >>> *Subject:* Re: killing init seclabel >>> >>> >>> >>> I'd prefer if we work on getting proper kernel support for handling >>> SELinux labels on the rootfs. >>> http://marc.info/?l=initramfs&m=142178147926029&w=2 adds support for a >>> rootfs with SELinux labels built in, but that patchset seems to have >>> stalled. >>> >>> >>> >>> Once we have that, then we could do all the rootfs labeling at build >>> time, and not have to tweak labels at runtime. >>> >>> >>> >>> -- Nick >>> >>> >>> >>> On Tue, Jun 2, 2015 at 11:18 AM, Roberts, William C < >>> [email protected]> wrote: >>> >>> Given that rootfs supports restorecon can we kill seclabel and just >>> label things in sbin and set up transitions? Can we perhaps support >>> genfscon path name labeling like in sysfs/procfs and thus avoid the need >>> for a restorecon? >>> >>> >>> >>> Any objections to this or preference in approach? >>> >>> >>> >>> Thanks, >>> >>> Bill >>> >>> >>> _______________________________________________ >>> Seandroid-list mailing list >>> [email protected] >>> To unsubscribe, send email to [email protected]. >>> To get help, send an email containing "help" to >>> [email protected]. >>> >>> >>> >>> >>> >>> -- >>> >>> Nick Kralevich | Android Security | [email protected] | 650.214.4037 >>> >> >> >> >> -- >> Nick Kralevich | Android Security | [email protected] | 650.214.4037 >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > -- Respectfully, William C Roberts
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
