On 04/19/2016 09:18 PM, YongQin Liu wrote: > > > On 20 April 2016 at 00:45, Stephen Smalley <[email protected] > <mailto:[email protected]>> wrote: > > On 04/19/2016 12:32 PM, YongQin Liu wrote: > > Hi, Stephen > > > > Thanks for you suggestions! > > > > With hack on selinux_is_sblabel_mnt(), and sepolicy rules change here: > > https://android-review.googlesource.com/#/c/216878/ > > > > I can make there no avc denials in dmesg. > > but if we support tracefs in the sepolicy rules of AOSP, then kernel is > > required to be 4.1 and later, > > or tracefs feature porting to kernel before that, which seems not > flexible. > > > > is there a better way to make one copy sepolicy rules in AOSP to support > > both kernel versions before 4.1 and later? > > Your policy change also loses the distinction between trace_marker and > other files under tracing. The distinction is important because we only > want trace_marker to be writable by all, not the rest of the tracefs > files. > > The only actual change required to sepolicy is adding a line to > genfs_contexts; you do not need to change the existing types, allow > rules, or file_contexts entries. Just add: > genfscon tracefs / u:object_r:debugfs_tracing:s0 > to genfs_contexts. > > Then it should work seamlessly for any kernel version. > > > /sys/kernel/debug/tracing/trace_marker files can not be marked > as debugfs_trace_marker context, > following is the output of ls -Z command: > > u:object_r:debugfs_tracing:s0 /sys/kernel/debug/tracing/trace_marker
Ah, yes, you would need to allow the association, e.g. In attributes, add: # All types used for tracefs files. attribute tracefs_type; In file.te, add tracefs_type to debugfs_trace_marker and debugfs_tracing: type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject; type debugfs_tracing, fs_type, debugfs_type, tracefs_type; Later in file,te, add an allow rule: allow tracefs_type tracefs:filesystem associate; _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
