On Thu, 2017-10-19 at 21:15 +0000, Nathan Owen wrote: > Hi, > > As a disclaimer, I am very new to SELinux policy development. > > My team and I are responsible for software architecture on an > embedded (red hat) system. We pre-build the file system and save it > to a squashfs that is then burned to the device. The result of this > is that the system is, for the most part, read-only. > > The problem is that we would like to start using SElinux, but we do > not know if there is a way we can pre-label the files before saving > them to the squashfs. We cannot label them at runtime as the file > system is read only. > > Does any one know if there is a way to pre-label an embedded linux > file system from a development computer that does not have the same > SElinux policies as the embedded platform? Android does this (setting the extended attributes during image build), and I believe OpenEmbedded / Yocto now also supports this capability, so it is certainly possible to do. However, that's using tools for generating ext[234] images that support setting the security.selinux attributes directly; they aren't mounting the filesystem on the host and populating it that way. So you'd need to integrate similar support into squashfs tools if it doesn't already exist (don't know). If you are mounting the filesystem on the host and populating it via the regular filesystem interface, and if the host runs SELinux, then the process needs CAP_MAC_ADMIN and SELinux mac_admin capability2 permission in order to set "foreign" contexts (unknown to the host policy) on files via setxattr(); that was introduced for things like livecd-creator IIRC. There is a domain in the stock Fedora/RHEL policy for that, setfiles_mac_t or similar. But that's not needed if you are just generating the image file directly. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
