-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/18/2014 10:03 AM, Stephen Smalley wrote: > On 02/15/2014 01:09 PM, Luis Ressel wrote: >> Hello, >> >> >> The genfscon policy statement has an argument "partial_path" which can be >> used to use specialized contexts for subpaths inside a file system. >> However, the documentation mentions that this can only be used for the >> proc filesystem. Is this really the case, and if yes, why? I'd like to >> use it for the sysfs. >> >> The motivation for this is that both the Fedora and the Gentoo policy >> have cpu_online_t for /sys/devices/system/cpu/online, as this file is >> accessed by all applications linked to a recent glibc and therefore needs >> wider access permissions than the normal sysfs_t. Currently, the context >> is changed at startup via an init script, which is a bit of a hack. It >> would be neat if a genfscon statement could be used for that. >> >> Is this currently possible or would it require changes to the kernel >> and/or the selinux libraries? > > Setting from userspace is preferable when possible, so just do that. In > Android, there is a recursive restorecon (equivalent of restorecon -R) > applied to /sys on boot to set up the labels of all sysfs files based on > file_contexts entries and their udev equivalent (ueventd) fixes up the > labels on any sysfs files created subsequently. > > genfs_contexts path prefix matching support for a given filesystem requires > kernel code changes, and we try to avoid it. For /proc it makes sense > since the entire proc tree is kernel generated and immutable by userspace > and since proc does not provide xattr handlers. For sysfs we explored use > of genfs_contexts but preferred a userspace solution and that is now > supported by modern kernels. > > > _______________________________________________ Selinux mailing list > Selinux@xxxxxxxxxxxxx To unsubscribe, send email to > Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" > to Selinux-request@xxxxxxxxxxxxx. > > We are using systemd-tmpfiles.d for this in Fedora/RHEL7. cat /lib/tmpfiles.d/selinux-policy.conf z /sys/devices/system/cpu/online - - - Z /sys/class/net - - - z /sys/kernel/uevent_helper - - - w /sys/fs/selinux/checkreqprot - - - - 1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMDjykACgkQrlYvE4MpobMl8ACeN76KeLPtcIMvJQGs6qpAaiLg /d4An19amZ4NkgAsefadevP208Mnls6O =aZ21 -----END PGP SIGNATURE----- _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
