[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context

Dominick Grift dac.override at gmail.com
Sat Dec 31 08:43:10 UTC 2016 

On 12/30/2016 10:51 PM, cgzones wrote:
> But isn't genfscon with subcontexts only available on the /proc filesystem?

If your kernel is not too old, then it also work for sysfs

> 
> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>> wrote:
>>> reassign 849637 policycoreutils
>>> thanks
>>>
>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>>>
>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>  > is mislabeled after boot:
>>>  >
>>>  > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>  > Would relabel /sys/devices/system/cpu/online from
>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>
>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>
>>> It's working with sysvinit because the selinux-autorelabel LSB
>>> initscript is explicitly relabeling it during boot.
>>>
>>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>>
>>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>>
>>> Reassigning to policycoreutils
>>>
>>> Laurent Bigonville
>>
>> you should be able to add a genfscon() in policy for this, provided that
>> the kernel is not too old to support that feature
>>
>> I would avoid the alternative if possible
>>>
>>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>>
>> _______________________________________________
>> SELinux-devel mailing list
>> SELinux-devel at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20161231/64f227b9/attachment.sig>

More information about the SELinux-devel mailing list