[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context

Dominick Grift dac.override at gmail.com
Sat Dec 31 11:38:29 UTC 2016 

On 12/31/2016 11:34 AM, cgzones wrote:
> Wow!
> 
> Thank you very much, I was completely unaware of this feature.
> I did not read any documentation of it on selinuxproject.org or in The
> SELinux Notebook v4 about it.
> 
> I got it working via
> 
> genfscon sysfs /devices/system/cpu/online
> gen_context(system_u:object_r:cpu_online_t,s0)
> 
> at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1
> 
> One small issue arises for me:
> I tried to set up the directory '/sys/kernel/debug/tracing' via
> 'genfscon sysfs /kernel/debug/tracing
> gen_context(system_u:object_r:tracefs_t,s0)'
> but is it still labeled initially system_u:object_r:debugfs_t:s0 after
> boot but seems to change on the first access?

you need a genfscon for tracefs, it is mounted on the
kernel/debug/tracing dir

genfscon tracefs / gen_context()

> 
> Example pattern:
> 
> [...] boot + ssh login
> root at debianSE:~# restorecon -v -R -n /
> Warning no default label for /dev/mqueue
> Warning no default label for /dev/pts/0
> Warning no default label for /tmp/.font-unix
> Warning no default label for /tmp/.XIM-unix
> Warning no default label for /tmp/.X11-unix
> Warning no default label for /tmp/.Test-unix
> Warning no default label for /tmp/.ICE-unix
> Would relabel /sys/kernel/debug/tracing from
> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
> root at debianSE:~# restorecon -v -R -n /
> Warning no default label for /dev/mqueue
> Warning no default label for /dev/pts/0
> Warning no default label for /tmp/.font-unix
> Warning no default label for /tmp/.XIM-unix
> Warning no default label for /tmp/.X11-unix
> Warning no default label for /tmp/.Test-unix
> Warning no default label for /tmp/.ICE-unix
> 
> Why?
> 
> I think otherwise this bug can be reassigned to refpolicy.
> 
> Thanks again Dominick
> Kindly Regards,
>        Christian Göttsche
> 
> P.s.:
> The kernel patch is over here:
> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
> (might be Linux 4.2? plenty enough for me)
> 
> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>> On 12/30/2016 10:51 PM, cgzones wrote:
>>> But isn't genfscon with subcontexts only available on the /proc filesystem?
>>
>> If your kernel is not too old, then it also work for sysfs
>>
>>>
>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>>>> wrote:
>>>>> reassign 849637 policycoreutils
>>>>> thanks
>>>>>
>>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>>>>>
>>>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>>>  > is mislabeled after boot:
>>>>>  >
>>>>>  > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>>>  > Would relabel /sys/devices/system/cpu/online from
>>>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>>>
>>>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>>>
>>>>> It's working with sysvinit because the selinux-autorelabel LSB
>>>>> initscript is explicitly relabeling it during boot.
>>>>>
>>>>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>>>>
>>>>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>>>>
>>>>> Reassigning to policycoreutils
>>>>>
>>>>> Laurent Bigonville
>>>>
>>>> you should be able to add a genfscon() in policy for this, provided that
>>>> the kernel is not too old to support that feature
>>>>
>>>> I would avoid the alternative if possible
>>>>>
>>>>>
>>>>
>>>> --
>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>> Dominick Grift
>>>>
>>>>
>>>> _______________________________________________
>>>> SELinux-devel mailing list
>>>> SELinux-devel at lists.alioth.debian.org
>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20161231/46020a81/attachment-0001.sig>

More information about the SELinux-devel mailing list