From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: [PATCH] selinux: enable per-file labeling for debugfs files.
Date: Wed, 20 May 2015 19:44:46 +0200 [thread overview]
Message-ID: <20150520174444.GE30612@x131e> (raw)
In-Reply-To: <555CC3A6.1030404@tycho.nsa.gov>
[-- Attachment #1: Type: text/plain, Size: 2119 bytes --]
On Wed, May 20, 2015 at 01:25:58PM -0400, Stephen Smalley wrote:
> On 05/20/2015 12:28 PM, Dominick Grift wrote:
> > On Wed, May 20, 2015 at 12:24:50PM -0400, Stephen Smalley wrote:
> >> On 05/20/2015 12:20 PM, Dominick Grift wrote:
> >>> On Wed, May 20, 2015 at 12:13:18PM -0400, Stephen Smalley wrote:
> >>>> On 05/20/2015 12:04 PM, Dominick Grift wrote:
> >>>>> On Wed, May 20, 2015 at 11:59:34AM -0400, Stephen Smalley wrote:
> >>>>>> On 05/20/2015 11:51 AM, Dominick Grift wrote:
> >>>>>>> On Tue, May 19, 2015 at 03:46:06PM -0400, Stephen Smalley wrote:
> >>>
> >>>>>> The original motivating use case for per-file labeling for sysfs was
> >>>>>> libvirt labeling of specific sysfs nodes to make them accessible to
> >>>>>> specific virtual machines (qemu instances). In that scenario, we needed
> >>>>>> userspace to be able to drive the labeling based on more than just the
> >>>>>> pathname and so genfs_contexts wasn't suitable.
> >>>
> >>> I do not think that is applicable anymore (although i may be wrong)
> >>
> >> Not sure what you mean, but to clarify, I mean that libvirt has to set
> >> the context (at least the categories for MCS and possibly the type as
> >> well) on any sysfs node that needs to be accessible by the qemu
> >> instance. At least that used to be the case.
> >>
> >
> > That is what i mean. I am not aware of any such scenario's today. Again, I might be overlooking it.
>
> Would only show up if you are doing PCI passthrough, I believe.
>
> Also possible that they never leveraged the support in libvirt even
> after we got the kernel support merged. But not to say that it wouldn't
> improve their security nonetheless today...
>
>
Thanks, I haven't noticed that. Your patch would not break that functionality.
Thanks for your patch, i will allow me to start labeling some files in /sys as well
I just really did not feel comfortable by relying on systemd-tmpfiles for that.
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
next prev parent reply other threads:[~2015-05-20 17:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 19:46 [PATCH] selinux: enable per-file labeling for debugfs files Stephen Smalley
2015-05-20 15:51 ` Dominick Grift
2015-05-20 15:59 ` Stephen Smalley
2015-05-20 16:04 ` Dominick Grift
2015-05-20 16:13 ` Stephen Smalley
2015-05-20 16:20 ` Dominick Grift
2015-05-20 16:24 ` Stephen Smalley
2015-05-20 16:28 ` Dominick Grift
2015-05-20 17:25 ` Stephen Smalley
2015-05-20 17:44 ` Dominick Grift [this message]
2015-05-21 15:36 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150520174444.GE30612@x131e \
--to=dac.override@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.