From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
Luis Ressel <aranea@aixah.de>,
selinux@tycho.nsa.gov
Subject: Re: Using genfscon's partial_path for other filesystems than proc
Date: Tue, 18 Feb 2014 11:49:45 -0500 [thread overview]
Message-ID: <53038F29.2000505@redhat.com> (raw)
In-Reply-To: <53037645.7060909@tycho.nsa.gov>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/18/2014 10:03 AM, Stephen Smalley wrote:
> On 02/15/2014 01:09 PM, Luis Ressel wrote:
>> Hello,
>>
>>
>> The genfscon policy statement has an argument "partial_path" which can be
>> used to use specialized contexts for subpaths inside a file system.
>> However, the documentation mentions that this can only be used for the
>> proc filesystem. Is this really the case, and if yes, why? I'd like to
>> use it for the sysfs.
>>
>> The motivation for this is that both the Fedora and the Gentoo policy
>> have cpu_online_t for /sys/devices/system/cpu/online, as this file is
>> accessed by all applications linked to a recent glibc and therefore needs
>> wider access permissions than the normal sysfs_t. Currently, the context
>> is changed at startup via an init script, which is a bit of a hack. It
>> would be neat if a genfscon statement could be used for that.
>>
>> Is this currently possible or would it require changes to the kernel
>> and/or the selinux libraries?
>
> Setting from userspace is preferable when possible, so just do that. In
> Android, there is a recursive restorecon (equivalent of restorecon -R)
> applied to /sys on boot to set up the labels of all sysfs files based on
> file_contexts entries and their udev equivalent (ueventd) fixes up the
> labels on any sysfs files created subsequently.
>
> genfs_contexts path prefix matching support for a given filesystem requires
> kernel code changes, and we try to avoid it. For /proc it makes sense
> since the entire proc tree is kernel generated and immutable by userspace
> and since proc does not provide xattr handlers. For sysfs we explored use
> of genfs_contexts but preferred a userspace solution and that is now
> supported by modern kernels.
>
>
> _______________________________________________ Selinux mailing list
> Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing "help"
> to Selinux-request@tycho.nsa.gov.
>
>
We are using systemd-tmpfiles.d for this in Fedora/RHEL7.
cat /lib/tmpfiles.d/selinux-policy.conf
z /sys/devices/system/cpu/online - - -
Z /sys/class/net - - -
z /sys/kernel/uevent_helper - - -
w /sys/fs/selinux/checkreqprot - - - - 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMDjykACgkQrlYvE4MpobMl8ACeN76KeLPtcIMvJQGs6qpAaiLg
/d4An19amZ4NkgAsefadevP208Mnls6O
=aZ21
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2014-02-18 16:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-15 18:09 Using genfscon's partial_path for other filesystems than proc Luis Ressel
2014-02-18 15:03 ` Stephen Smalley
2014-02-18 16:49 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53038F29.2000505@redhat.com \
--to=dwalsh@redhat.com \
--cc=aranea@aixah.de \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.