[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context
cgzones at googlemail.com
Fri Dec 30 21:51:37 UTC 2016
But isn't genfscon with subcontexts only available on the /proc filesystem?
2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>> reassign 849637 policycoreutils
>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>> > When running a SELinux enabled system /sys/devices/system/cpu/online
>> > is mislabeled after boot:
>> > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>> > Would relabel /sys/devices/system/cpu/online from
>> > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>> Not sure why this is assigned to systemd as this is not created by systemd.
>> It's working with sysvinit because the selinux-autorelabel LSB
>> initscript is explicitly relabeling it during boot.
>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>> Reassigning to policycoreutils
>> Laurent Bigonville
> you should be able to add a genfscon() in policy for this, provided that
> the kernel is not too old to support that feature
> I would avoid the alternative if possible
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> Dominick Grift
> SELinux-devel mailing list
> SELinux-devel at lists.alioth.debian.org
More information about the SELinux-devel