[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context

Dominick Grift dac.override at gmail.com
Sat Dec 31 11:49:55 UTC 2016


On 12/31/2016 12:41 PM, Dominick Grift wrote:
> On 12/31/2016 12:38 PM, Dominick Grift wrote:
>> On 12/31/2016 11:34 AM, cgzones wrote:
>>> Wow!
>>>
>>> Thank you very much, I was completely unaware of this feature.
>>> I did not read any documentation of it on selinuxproject.org or in The
>>> SELinux Notebook v4 about it.
>>>
>>> I got it working via
>>>
>>> genfscon sysfs /devices/system/cpu/online
>>> gen_context(system_u:object_r:cpu_online_t,s0)
>>>
>>> at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1
>>>
>>> One small issue arises for me:
>>> I tried to set up the directory '/sys/kernel/debug/tracing' via
>>> 'genfscon sysfs /kernel/debug/tracing
>>> gen_context(system_u:object_r:tracefs_t,s0)'
>>> but is it still labeled initially system_u:object_r:debugfs_t:s0 after
>>> boot but seems to change on the first access?

I misread, yes i think tracefs is mounted on demand. But this should not
be problem because users of tracefs need to be able to traverse debugfs
anyway.

>>
>> you need a genfscon for tracefs, it is mounted on the
>> kernel/debug/tracing dir
>>
>> genfscon tracefs / gen_context()
> 
> Also a word of advice: don't add any fc specs for anything under /sys
> 
> The stuff in there are not files (its a pseudo fs like /proc and proc
> also doesnt have fc specs)
> 
>>
>>>
>>> Example pattern:
>>>
>>> [...] boot + ssh login
>>> root at debianSE:~# restorecon -v -R -n /
>>> Warning no default label for /dev/mqueue
>>> Warning no default label for /dev/pts/0
>>> Warning no default label for /tmp/.font-unix
>>> Warning no default label for /tmp/.XIM-unix
>>> Warning no default label for /tmp/.X11-unix
>>> Warning no default label for /tmp/.Test-unix
>>> Warning no default label for /tmp/.ICE-unix
>>> Would relabel /sys/kernel/debug/tracing from
>>> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
>>> root at debianSE:~# restorecon -v -R -n /
>>> Warning no default label for /dev/mqueue
>>> Warning no default label for /dev/pts/0
>>> Warning no default label for /tmp/.font-unix
>>> Warning no default label for /tmp/.XIM-unix
>>> Warning no default label for /tmp/.X11-unix
>>> Warning no default label for /tmp/.Test-unix
>>> Warning no default label for /tmp/.ICE-unix
>>>
>>> Why?
>>>
>>> I think otherwise this bug can be reassigned to refpolicy.
>>>
>>> Thanks again Dominick
>>> Kindly Regards,
>>>        Christian Göttsche
>>>
>>> P.s.:
>>> The kernel patch is over here:
>>> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
>>> (might be Linux 4.2? plenty enough for me)
>>>
>>> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>>> On 12/30/2016 10:51 PM, cgzones wrote:
>>>>> But isn't genfscon with subcontexts only available on the /proc filesystem?
>>>>
>>>> If your kernel is not too old, then it also work for sysfs
>>>>
>>>>>
>>>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>>>>>> wrote:
>>>>>>> reassign 849637 policycoreutils
>>>>>>> thanks
>>>>>>>
>>>>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>>>>>>>
>>>>>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>>>>>  > is mislabeled after boot:
>>>>>>>  >
>>>>>>>  > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>>>>>  > Would relabel /sys/devices/system/cpu/online from
>>>>>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>>>>>
>>>>>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>>>>>
>>>>>>> It's working with sysvinit because the selinux-autorelabel LSB
>>>>>>> initscript is explicitly relabeling it during boot.
>>>>>>>
>>>>>>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>>>>>>
>>>>>>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>>>>>>
>>>>>>> Reassigning to policycoreutils
>>>>>>>
>>>>>>> Laurent Bigonville
>>>>>>
>>>>>> you should be able to add a genfscon() in policy for this, provided that
>>>>>> the kernel is not too old to support that feature
>>>>>>
>>>>>> I would avoid the alternative if possible
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>>>> Dominick Grift
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> SELinux-devel mailing list
>>>>>> SELinux-devel at lists.alioth.debian.org
>>>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>>>>
>>>>
>>>> --
>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>> Dominick Grift
>>>>
>>
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20161231/ff094969/attachment.sig>


More information about the SELinux-devel mailing list