[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context

Dominick Grift dac.override at gmail.com
Sat Dec 31 11:41:08 UTC 2016 

On 12/31/2016 12:38 PM, Dominick Grift wrote:
> On 12/31/2016 11:34 AM, cgzones wrote:
>> Wow!
>>
>> Thank you very much, I was completely unaware of this feature.
>> I did not read any documentation of it on selinuxproject.org or in The
>> SELinux Notebook v4 about it.
>>
>> I got it working via
>>
>> genfscon sysfs /devices/system/cpu/online
>> gen_context(system_u:object_r:cpu_online_t,s0)
>>
>> at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1
>>
>> One small issue arises for me:
>> I tried to set up the directory '/sys/kernel/debug/tracing' via
>> 'genfscon sysfs /kernel/debug/tracing
>> gen_context(system_u:object_r:tracefs_t,s0)'
>> but is it still labeled initially system_u:object_r:debugfs_t:s0 after
>> boot but seems to change on the first access?
> 
> you need a genfscon for tracefs, it is mounted on the
> kernel/debug/tracing dir
> 
> genfscon tracefs / gen_context()

Also a word of advice: don't add any fc specs for anything under /sys

The stuff in there are not files (its a pseudo fs like /proc and proc
also doesnt have fc specs)

> 
>>
>> Example pattern:
>>
>> [...] boot + ssh login
>> root at debianSE:~# restorecon -v -R -n /
>> Warning no default label for /dev/mqueue
>> Warning no default label for /dev/pts/0
>> Warning no default label for /tmp/.font-unix
>> Warning no default label for /tmp/.XIM-unix
>> Warning no default label for /tmp/.X11-unix
>> Warning no default label for /tmp/.Test-unix
>> Warning no default label for /tmp/.ICE-unix
>> Would relabel /sys/kernel/debug/tracing from
>> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
>> root at debianSE:~# restorecon -v -R -n /
>> Warning no default label for /dev/mqueue
>> Warning no default label for /dev/pts/0
>> Warning no default label for /tmp/.font-unix
>> Warning no default label for /tmp/.XIM-unix
>> Warning no default label for /tmp/.X11-unix
>> Warning no default label for /tmp/.Test-unix
>> Warning no default label for /tmp/.ICE-unix
>>
>> Why?
>>
>> I think otherwise this bug can be reassigned to refpolicy.
>>
>> Thanks again Dominick
>> Kindly Regards,
>>        Christian Göttsche
>>
>> P.s.:
>> The kernel patch is over here:
>> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
>> (might be Linux 4.2? plenty enough for me)
>>
>> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>> On 12/30/2016 10:51 PM, cgzones wrote:
>>>> But isn't genfscon with subcontexts only available on the /proc filesystem?
>>>
>>> If your kernel is not too old, then it also work for sysfs
>>>
>>>>
>>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>>>>> wrote:
>>>>>> reassign 849637 policycoreutils
>>>>>> thanks
>>>>>>
>>>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>>>>>>
>>>>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>>>>  > is mislabeled after boot:
>>>>>>  >
>>>>>>  > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>>>>  > Would relabel /sys/devices/system/cpu/online from
>>>>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>>>>
>>>>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>>>>
>>>>>> It's working with sysvinit because the selinux-autorelabel LSB
>>>>>> initscript is explicitly relabeling it during boot.
>>>>>>
>>>>>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>>>>>
>>>>>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>>>>>
>>>>>> Reassigning to policycoreutils
>>>>>>
>>>>>> Laurent Bigonville
>>>>>
>>>>> you should be able to add a genfscon() in policy for this, provided that
>>>>> the kernel is not too old to support that feature
>>>>>
>>>>> I would avoid the alternative if possible
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>>> Dominick Grift
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> SELinux-devel mailing list
>>>>> SELinux-devel at lists.alioth.debian.org
>>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>>>
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20161231/45ba220c/attachment.sig>

More information about the SELinux-devel mailing list