[refpolicy] Questions about genfscon

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 07/09/12 14:35, Haiqing Jiang wrote:
> Thanks for reading this email. I have a quick question about the syntax of "genfscon". 
> I want to re-label some files' context under /proc directory. From current implementation I can find that 
> all the contexts under /proc using genfscon syntax in the file of "ocontext". Then I tried the following cases,
> and the confusions are coming:
> 
> Case 1: I imitated the labeling syntax in the file of "ocontext", like: genfscon proc /XXX u:object_r:xxx:s0;
> The contexts are changed after re-built. (Working fine)
> Case 2: I didn't modify in the "ocontext" file, instead I modify in the file of "file_context", like: genfscon proc /XXX u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not working)
> Case 3: I didn't modify in the "ocontext" file, instead I modify in the file of "file_context" and without using genfscon syntax, like: /proc/XXX u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not working) 
> Case 4: I didn't modify in the "ocontext" file, instead I modify in the file of "sepolicy.fc" under /device/samsung/tuna/ and using "genfscon" syntax and regular label syntax, like: genfscon proc /XXX u:object_r:xxx:s0 and /proc/XXX u:object_r:xxx:s0; They don't work. I cannot find the new contexts. (Not working)
> 
> In all, the only way I can do is to label /proc files contexts in the file of "ocontext" and to use "genfscon" syntax. 
> Could someone explain the reasons? Thanks a lot. 

The short answer is its because proc is a pseudo filesystem and has no persistent storage.  File_contexts is used to initialize the labeling of filesystems with persistent storage, e.g. ext4.  If you're looking for further discussion, the NSA SELinux mail list is more appropriate.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com