On Thu, Mar 30, 2017 at 09:44:34AM -0400, Stephen Smalley wrote: > On Wed, 2017-03-29 at 17:00 -0400, Colin Walters wrote: > > Hi, see: https://github.com/ostreedev/ostree/pull/768 > > > > TL;DR: Policy (at least Fedora's version) does not specify > > a label for /proc on disk (as distinct from the `proc_t` from > > the genfscon). > > > > This causes some breakage in rpm-ostree (which I can work > > around), but I'd like a better fix than what I did above. > > Any suggestions? It probably doesn't > > matter too much what the actual type is since systemd will > > overmount it - should I make it the same type as e.g. `/mnt`? > > You shouldn't hardcode security contexts, ever. Why can't one just fix > the Fedora policy? Do we still even need the <<none>> entries for > /proc in file_contexts in Fedora policy, given that restorecon is now > smart enough to skip any filesystem that lacks seclabel in > /proc/mounts? Android doesn't use <<none>> in its file_contexts at all.
It is not alway's as simple in my experience though (although for "/proc -d" it probably is) <<none>> is a reliable way to trick unreliable "selinux aware" applications into thinking that they shouldnt bother with setfscreatecon(_default) There can be various reasons why one might want to do that. One of which is that these selinux aware applications might or might not reset customizable identifiers (roles and ids) Another reason would be to avoid inconsistent labels, where a process should use setfscreatecon but where it doesnt. (you could anticipate this in policy in other way's as well but <<none>> does the trick there as well) > > As to what type it should have, I would try to keep it in whatever type > it is presently being assigned in Fedora during an install to avoid > breakage. Not sure offhand what that is. > > There is a more general problem here though, in that we don't presently > have an unambiguous way to specify a different security context for a > mountpoint directory vs a mounted directory in file_contexts. That's > been previously noted as an issue in Android. Probably requires some > new syntax in file_contexts to distinguish. > > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
