On 04/19/2016 10:57 AM, Stephen Smalley wrote: > On 04/19/2016 10:47 AM, Stephen Smalley wrote: >> On 04/19/2016 10:32 AM, YongQin Liu wrote: >>> Hi, ALL >>> >>> I am trying the android-n-preview with kernel4.4, and found the tracefs >>> is automatically mounted there by kernel, mount options like this: >>> tracefs on /sys/kernel/debug/tracing type tracefs (rw,relatime) >>> >>> And I found avc warnings on the console like this: >>> [ 6.840279] init: SELinux: Could not set context for >>> /sys/kernel/debug/tracing/set_event_pid: Operation not supported on >>> transport endpoint >>> >>> I think it's caused by the following lines in file_contexts file: >>> /sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0 >>> /sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0 >>> >>> >>> And seems the tracefs does not support the seclabel mount option, >>> >>> So what's the better way to support tracefs in Android? >>> Seems updating sepolicy rules is an easier way, but what if the kernel >>> still does not support tracefs yet? >>> Or do some changes in kernel side on tracefs? >>> >>> And tracefs would be supported in the user mode as well I guess. >> >> Hmm...we would need to augment the logic in SELinux to support per-file >> labeling of tracefs via either setxattr or genfs_contexts. The quick >> fix would be to just add tracefs to the list of whitelisted filesystem >> types in selinux_is_sblabel_mnt(), but the right fix would be to >> generalize this logic as described in the last item on the todo list, >> https://bitbucket.org/seandroid/wiki/wiki/ToDo > > Also, you'd need to add an entry to genfs_contexts in the policy to > define a default label for tracefs files.
The other question is whether Android could dispense with mounting debugfs at all and only mount tracefs, as that was one of the motivations for splitting tracefs from debugfs. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
