From: Dominick Grift <dominick.grift@defensec.nl>
To: Ashish Mishra <ashishm@mvista.com>
Cc: SElinux list <selinux@vger.kernel.org>, Paul Moore <paul@paul-moore.com>
Subject: Re: Selinux context type is same for root & normal user both
Date: Wed, 06 Jan 2021 16:04:50 +0100 [thread overview]
Message-ID: <ypjlsg7ef6nh.fsf@defensec.nl> (raw)
In-Reply-To: <CAP2Ojci-JoSP_DtOecVNFi8AhTKTqKmpu+558Kzpucr8-z3nyg@mail.gmail.com> (Ashish Mishra's message of "Wed, 6 Jan 2021 20:25:44 +0530")
Ashish Mishra <ashishm@mvista.com> writes:
> Hi Dominick ,
> Thanks for your valuable time and inputs .
>
> As a background w.r.t ROOTFS :
> a) We had an custom SDK which is a basic makefile based SDK .
>
> b) The rootfs was RAMFS based .
> For selinux we switched from RAMFS to TEMPFS
>
> c) It was not having SELINUX , so we added refpolicy & selinux-userland
> Expectation was we will get working selinux context & policy.
> I have the policy but the context is being the same for each file
> and folder .
You also have to address labeling. If your filesystem is ram-based
(volatile) then I
suspect you will have to address labeling at runtime (ie run
setfiles/restorecon to label the filesystem). The point is that
your filesystem is currently not labeled according to the reference
policy.
>
> d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS +
> SELINUX ) w.r.t output of mount command :
> ~ # mount
> rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405)
> sysfs on /sys type sysfs (rw,seclabel,relatime)
> selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
> nodev on /dev type devtmpfs
> (rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755)
> none on /proc type proc (rw,relatime)
> none on /dev/shm type tmpfs (rw,seclabel,relatime)
> none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000)
> none on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
> none on /mnth type hugetlbfs (rw,seclabel,relatime)
> cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755)
> cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset)
> cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu)
> cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct)
> cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio)
> cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory)
> cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)
> cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer)
> cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls)
> cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio)
> cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb)
> cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids)
> cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug)
> cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime)
>
>
> Thanks ,
> Ashish
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-01-06 15:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-04 10:55 Selinux context type is same for root & normal user both Ashish Mishra
2021-01-04 12:16 ` Dominick Grift
2021-01-04 12:39 ` Ashish Mishra
2021-01-04 12:51 ` Dominick Grift
2021-01-06 13:35 ` Ashish Mishra
2021-01-06 13:52 ` Dominick Grift
[not found] ` <CAP2OjcjOEXsWM1H2pkMzhb3y2ss7SCTw8_1Tsb23kUnEDVfx-g@mail.gmail.com>
2021-01-06 14:30 ` Dominick Grift
2021-01-06 14:55 ` Ashish Mishra
2021-01-06 15:04 ` Dominick Grift [this message]
2021-01-06 15:20 ` Ashish Mishra
2021-01-06 15:39 ` Dominick Grift
2021-01-06 16:00 ` Ondrej Mosnacek
2021-01-06 16:16 ` Ashish Mishra
2021-01-06 16:39 ` Dominick Grift
2021-01-07 7:35 ` Ashish Mishra
2021-01-06 14:25 ` Ashish Mishra
2021-01-06 14:27 ` Ashish Mishra
2021-01-06 14:41 ` Dominick Grift
2021-01-06 14:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlsg7ef6nh.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=ashishm@mvista.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.