[DSE-Dev] Bug#849637: Bug#849637: /sys/devices/system/cpu/online SELinux context

cgzones cgzones at googlemail.com
Sat Dec 31 12:46:58 UTC 2016 

Thanks again for your feedback.
The statement I was looking for is: genfscon debugfs /tracing
gen_context(system_u:object_r:tracefs_t,s0)
I added the filecontexts:
/sys/kernel/debug/.*
gen_context(system_u:object_r:debugfs_t,s0)
/sys/kernel/debug/tracing(/.*)?
gen_context(system_u:object_r:tracefs_t,s0)
to avoid restorecon spamming me with messages like:
restorecon:  Warning no default label for /sys/kernel/debug/ieee80211
restorecon:  Warning no default label for /sys/kernel/debug/clk
restorecon:  Warning no default label for /sys/kernel/debug/clk/osc

Kindy Regards,
      Christian Göttsche

2016-12-31 12:49 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
> On 12/31/2016 12:41 PM, Dominick Grift wrote:
>> On 12/31/2016 12:38 PM, Dominick Grift wrote:
>>> On 12/31/2016 11:34 AM, cgzones wrote:
>>>> Wow!
>>>>
>>>> Thank you very much, I was completely unaware of this feature.
>>>> I did not read any documentation of it on selinuxproject.org or in The
>>>> SELinux Notebook v4 about it.
>>>>
>>>> I got it working via
>>>>
>>>> genfscon sysfs /devices/system/cpu/online
>>>> gen_context(system_u:object_r:cpu_online_t,s0)
>>>>
>>>> at https://github.com/cgzones/debian-package-refpolicy/commit/3ba127468436334275398a824260383208ee58b1
>>>>
>>>> One small issue arises for me:
>>>> I tried to set up the directory '/sys/kernel/debug/tracing' via
>>>> 'genfscon sysfs /kernel/debug/tracing
>>>> gen_context(system_u:object_r:tracefs_t,s0)'
>>>> but is it still labeled initially system_u:object_r:debugfs_t:s0 after
>>>> boot but seems to change on the first access?
>
> I misread, yes i think tracefs is mounted on demand. But this should not
> be problem because users of tracefs need to be able to traverse debugfs
> anyway.
>
>>>
>>> you need a genfscon for tracefs, it is mounted on the
>>> kernel/debug/tracing dir
>>>
>>> genfscon tracefs / gen_context()
>>
>> Also a word of advice: don't add any fc specs for anything under /sys
>>
>> The stuff in there are not files (its a pseudo fs like /proc and proc
>> also doesnt have fc specs)
>>
>>>
>>>>
>>>> Example pattern:
>>>>
>>>> [...] boot + ssh login
>>>> root at debianSE:~# restorecon -v -R -n /
>>>> Warning no default label for /dev/mqueue
>>>> Warning no default label for /dev/pts/0
>>>> Warning no default label for /tmp/.font-unix
>>>> Warning no default label for /tmp/.XIM-unix
>>>> Warning no default label for /tmp/.X11-unix
>>>> Warning no default label for /tmp/.Test-unix
>>>> Warning no default label for /tmp/.ICE-unix
>>>> Would relabel /sys/kernel/debug/tracing from
>>>> system_u:object_r:debugfs_t:s0 to system_u:object_r:tracefs_t:s0
>>>> root at debianSE:~# restorecon -v -R -n /
>>>> Warning no default label for /dev/mqueue
>>>> Warning no default label for /dev/pts/0
>>>> Warning no default label for /tmp/.font-unix
>>>> Warning no default label for /tmp/.XIM-unix
>>>> Warning no default label for /tmp/.X11-unix
>>>> Warning no default label for /tmp/.Test-unix
>>>> Warning no default label for /tmp/.ICE-unix
>>>>
>>>> Why?
>>>>
>>>> I think otherwise this bug can be reassigned to refpolicy.
>>>>
>>>> Thanks again Dominick
>>>> Kindly Regards,
>>>>        Christian Göttsche
>>>>
>>>> P.s.:
>>>> The kernel patch is over here:
>>>> https://github.com/torvalds/linux/commit/8e01472078763ebc1eaea089a1adab75dd982ccd
>>>> (might be Linux 4.2? plenty enough for me)
>>>>
>>>> 2016-12-31 9:43 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>>>> On 12/30/2016 10:51 PM, cgzones wrote:
>>>>>> But isn't genfscon with subcontexts only available on the /proc filesystem?
>>>>>
>>>>> If your kernel is not too old, then it also work for sysfs
>>>>>
>>>>>>
>>>>>> 2016-12-30 22:18 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
>>>>>>> On Fri, 30 Dec 2016 12:39:05 +0100 Laurent Bigonville <bigon at debian.org>
>>>>>>> wrote:
>>>>>>>> reassign 849637 policycoreutils
>>>>>>>> thanks
>>>>>>>>
>>>>>>>> On Thu, 29 Dec 2016 12:36:30 +0100 cgzones <cgzones at googlemail.com> wrote:
>>>>>>>>
>>>>>>>>  > When running a SELinux enabled system /sys/devices/system/cpu/online
>>>>>>>>  > is mislabeled after boot:
>>>>>>>>  >
>>>>>>>>  > root at test1:/root/selinux/policy# restorecon -vv -R -F -n /sys
>>>>>>>>  > Would relabel /sys/devices/system/cpu/online from
>>>>>>>>  > system_u:object_r:sysfs_t:s0 to system_u:object_r:cpu_online_t:s0
>>>>>>>>
>>>>>>>> Not sure why this is assigned to systemd as this is not created by systemd.
>>>>>>>>
>>>>>>>> It's working with sysvinit because the selinux-autorelabel LSB
>>>>>>>> initscript is explicitly relabeling it during boot.
>>>>>>>>
>>>>>>>> Under systemd, that initscript is masked by the selinux-autorelabel.service.
>>>>>>>>
>>>>>>>> I was planning to add a tmpfiles for this, but apparently I forgot about it.
>>>>>>>>
>>>>>>>> Reassigning to policycoreutils
>>>>>>>>
>>>>>>>> Laurent Bigonville
>>>>>>>
>>>>>>> you should be able to add a genfscon() in policy for this, provided that
>>>>>>> the kernel is not too old to support that feature
>>>>>>>
>>>>>>> I would avoid the alternative if possible
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>>>>> Dominick Grift
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> SELinux-devel mailing list
>>>>>>> SELinux-devel at lists.alioth.debian.org
>>>>>>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
>>>>>
>>>>>
>>>>> --
>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>>> Dominick Grift
>>>>>
>>>
>>>
>>
>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>

More information about the SELinux-devel mailing list