neverallow relabelto, multiple fs_use entries

Sat, 19 Dec 2015 22:20:27 -0800 

Hi All,
We use ecryptfs with Android and have the following entry in our fs_use file: 

  fs_use_xattr ecryptfs u:object_r:labeledfs:s0;


Everything works very well when we create ecryptfs filesystems over ext4 
directories.  But, we also want to do this over directories that do not 
support extended security attributes (e.g. vfat) and that has been 
problematic.



We can get ecryptfs over vfat mostly working via a context mount (note 
that vfat uses genfs_contexts).  But, unfortunately, a context mount 
requires a filesystem relabelto operation, and that is not permitted 
because of a neverallow statement that Stephen added:


  # Restrict context mounts to specific types marked with
  # the contextmount_type attribute.
  neverallow domain {fs_type -contextmount_type}:filesystem relabelto;

Here is a link to the commit:


https://bitbucket.org/seandroid/external-sepolicy/commits/75e2ef92601c485348c40cc8884839fba27046ba


There is an exception in the neverallow for contextmount_type 
filesystems.  But, the se-android policy makes such file systems 
read-only, so we cannot apply that context to our ecryptfs over vfat 
filesystem.



I don't understand why the filesystem relabelto operation is required (I 
suspect it may be related to our fs_use entry for ecryptfs). Even when 
the mount-point context matches the context of the vfat filesystem, you 
still need a relabelto operation (i.e. the operation still seems to be 
required even when we are relabeling from X to X).


If we change the neverallow rule to something like this:


  neverallow domain {fs_type -contextmount_type 
-sdcard_type}:filesystem relabelto;



Then everything works great.  Unfortunately, we cannot do that without 
violating CDD :-(



It seems like we need another entry in our fs_use file for ecryptfs over 
vfat (ecryptfs_vfat).



Does the selinux policy language support something like that?  Can we 
have multiple ecryptfs entries in fs_use (i.e. one for ecryptfs_ext4 and 
one for ecryptfs_vfat?)


Any comments or suggestions would be much appreciated,

thanks,

-James M
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].






















					Reply via email to