From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo filesystem types
Date: Tue, 26 Aug 2014 16:53:00 +0200 [thread overview]
Message-ID: <20140826145258.GA1464@e145.network2> (raw)
In-Reply-To: <53FC7B94.3000001@tresys.com>
On Tue, Aug 26, 2014 at 08:20:36AM -0400, Christopher J. PeBenito wrote:
> On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
>
> I don't think debugfs_t is a good example. Looking at the file
> contexts, I don't see why it needs to be a mount point. I also don't
> think that these pseudo filesystems should be file types either since
> they aren't regular files. It seems like the best choice would be to
> use fs_getattr_all_dirs(collectd_t).
>
In my experience, a way to see if something should be classified mountpoint (or whether some directory should maybe not be labeled with a filesystem type)
is look for AVC denials like this:
avc: denied { write } for pid=674 comm="mount" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=0
The mount command checks mountpoint file directories for write access
it can be a tough call. I had this for example with cgroupfs. In fedora, systemd does some voodoo with tmpfs and cgroupfs
the result was that /sys/fs/cgroup dir was labeled type cgroup_t but the links that were created early on in /sys/fs/cgroup remained type tmpfs_t
The inconsistency aggitated me and so i decided to just remove the fc spec for /sys/fs/cgroup. This caused /sys/fs/cgroup to end up with
tmpfs_t just like the links in there, which no one except systemd use anyways
It allowed me to disassociate the file_type and mountpoint_type attributes with cgroup_t (since now mount, mounts on tmpfs_t dirs instead)
This hack would not be upstreamable since this is systemd specific but it does demonstrate some of the reasoning for some of my decisions
about whether to associate something ith mountpoint_type or not
--
http://subkeys.pgp.net:11371/pks/lookup?search=0x02DFF788&op=index
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140826/072a215d/attachment.bin
next prev parent reply other threads:[~2014-08-26 14:53 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-23 11:35 [refpolicy] [PATCH 0/7] Set of small patches Nicolas Iooss
2014-08-23 11:35 ` [refpolicy] [PATCH 1/7] Label /usr/lib/networkmanager/ like /usr/lib/NetworkManager/ Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 2/7] Label /var/spool/postfix/dev/ files Nicolas Iooss
2014-08-25 15:04 ` Christopher J. PeBenito
2014-08-26 16:14 ` Nicolas Iooss
2014-09-17 8:00 ` Russell Coker
2014-08-23 11:35 ` [refpolicy] [PATCH 3/7] Fix typo in fs_getattr_all_fs description Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo filesystem types Nicolas Iooss
2014-08-26 12:20 ` Christopher J. PeBenito
2014-08-26 14:53 ` Dominick Grift [this message]
2014-08-27 21:51 ` Nicolas Iooss
2014-08-28 7:06 ` Dominick Grift
2014-08-28 9:39 ` Dominick Grift
2014-08-29 22:26 ` Nicolas Iooss
2014-09-12 18:14 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 5/7] Add socket and dccp_socket to socket_class_set Nicolas Iooss
2014-08-25 15:07 ` Christopher J. PeBenito
2014-08-26 17:22 ` Nicolas Iooss
2014-08-27 17:41 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 6/7] Add ioctl and lock to manage_lnk_file_perms Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
2014-08-23 11:35 ` [refpolicy] [PATCH 7/7] Label (/var)?/tmp/systemd-private-.../tmp like /tmp Nicolas Iooss
2014-08-26 13:15 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140826145258.GA1464@e145.network2 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.