[refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems
Date: Wed, 5 Mar 2014 12:36:33 -0500	[thread overview]
Message-ID: <531760A1.7010400@tresys.com> (raw)
In-Reply-To: <20140305002849.78607352@fornost.bigon.be>

On 03/04/2014 06:28 PM, Laurent Bigonville wrote:
> Le Tue, 4 Mar 2014 11:31:28 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ??crit :
> 
>> On 03/04/2014 11:12 AM, Laurent Bigonville wrote:
> [...]
>>> Talking a bit with Dominick, he proposed to create a new
>>> "xattrfs" attribute attach it to all the filesystems and then use it
>>> instead of fs_t in the allow rules. This should probably also
>>> simplify/fix situations where files are moved around these pseudo-fs
>>> and real fs.
>>
>> It sounds reasonable to me, now that fs_t is not the only xattr fs.
> 
> Do you know if we can assume that all the fs that currently don't have
> the noxattrfs attribute are actually supporting the xattrs?

No, we can't.  The noxattrfs attribute was originally intended for regular filesystems that don't support extended attributes, such as vfat, so it doesn't include non-xattr pseudo filesystems.  We should probably look at restructuring the rules so we can make the set noxattrfs and xattrfs have no intersection, but the union of the two equal to the set of all filesystem types.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

     prev parent reply	other threads:[~2014-03-05 17:36 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-04 16:12 [refpolicy] resotorecon/setfiles generating avc: denied { getattr } on pseudo filesystems Laurent Bigonville
2014-03-04 16:31 ` Christopher J. PeBenito
2014-03-04 23:28   ` Laurent Bigonville
2014-03-05 17:36     ` Christopher J. PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=531760A1.7010400@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.