[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context

Sat Dec 31 10:34:38 UTC 2016

Wow!

Thank you very much, I was completely unaware of this feature.
I did not read any documentation of it on selinuxproject.org or in The
SELinux Notebook v4 about it.

I got it working via

genfscon sysfs /devices/system/cpu/online
gen_context(system_u:object_r:cpu_online_t,s0)

at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1

One small issue arises for me:
I tried to set up the directory '/sys/kernel/debug/tracing' via
'genfscon sysfs /kernel/debug/tracing
gen_context(system_u:object_r:tracefs_t,s0)'
but is it still labeled initially system_u:object_r:debugfs_t:s0 after
boot but seems to change on the first access?

Example pattern:

[...] boot + ssh login
root at debianSE:~# restorecon -v -R -n /
Warning no default label for /dev/mqueue
Warning no default label for /dev/pts/0
Warning no default label for /tmp/.font-unix
Warning no default label for /tmp/.XIM-unix
Warning no default label for /tmp/.X11-unix
Warning no default label for /tmp/.Test-unix
Warning no default label for /tmp/.ICE-unix
Would relabel /sys/kernel/debug/tracing from
system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
root at debianSE:~# restorecon -v -R -n /
Warning no default label for /dev/mqueue
Warning no default label for /dev/pts/0
Warning no default label for /tmp/.font-unix
Warning no default label for /tmp/.XIM-unix
Warning no default label for /tmp/.X11-unix
Warning no default label for /tmp/.Test-unix
Warning no default label for /tmp/.ICE-unix

Why?

I think otherwise this bug can be reassigned to refpolicy.

Thanks again Dominick
Kindly Regards,
       Christian Göttsche

P.s.:
The kernel patch is over here:
https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
(might be Linux 4.2? plenty enough for me)

2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
> On 12/30/2016 10:51 PM, cgzones wrote:
>> But isn't genfscon with subcontexts only available on the /proc filesystem?
>
> If your kernel is not too old, then it also work for sysfs
>
>>
>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>>> wrote:
>>>> reassign 849637 policycoreutils
>>>> thanks
>>>>
>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>>>>
>>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>>  > is mislabeled after boot:
>>>>  >
>>>>  > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>>  > Would relabel /sys/devices/system/cpu/online from
>>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>>
>>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>>
>>>> It's working with sysvinit because the selinux-autorelabel LSB
>>>> initscript is explicitly relabeling it during boot.
>>>>
>>>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>>>
>>>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>>>
>>>> Reassigning to policycoreutils
>>>>
>>>> Laurent Bigonville
>>>
>>> you should be able to add a genfscon() in policy for this, provided that
>>> the kernel is not too old to support that feature
>>>
>>> I would avoid the alternative if possible
>>>>
>>>>
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>>>
>>> _______________________________________________
>>> SELinux-devel mailing list
>>> SELinux-devel at lists.alioth.debian.org
>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>