On Wed, May 20, 2015 at 01:25:58PM -0400, Stephen Smalley wrote: > On 05/20/2015 12:28 PM, Dominick Grift wrote: > > On Wed, May 20, 2015 at 12:24:50PM -0400, Stephen Smalley wrote: > >> On 05/20/2015 12:20 PM, Dominick Grift wrote: > >>> On Wed, May 20, 2015 at 12:13:18PM -0400, Stephen Smalley wrote: > >>>> On 05/20/2015 12:04 PM, Dominick Grift wrote: > >>>>> On Wed, May 20, 2015 at 11:59:34AM -0400, Stephen Smalley wrote: > >>>>>> On 05/20/2015 11:51 AM, Dominick Grift wrote: > >>>>>>> On Tue, May 19, 2015 at 03:46:06PM -0400, Stephen Smalley wrote: > >>> > >>>>>> The original motivating use case for per-file labeling for sysfs was > >>>>>> libvirt labeling of specific sysfs nodes to make them accessible to > >>>>>> specific virtual machines (qemu instances). In that scenario, we needed > >>>>>> userspace to be able to drive the labeling based on more than just the > >>>>>> pathname and so genfs_contexts wasn't suitable. > >>> > >>> I do not think that is applicable anymore (although i may be wrong) > >> > >> Not sure what you mean, but to clarify, I mean that libvirt has to set > >> the context (at least the categories for MCS and possibly the type as > >> well) on any sysfs node that needs to be accessible by the qemu > >> instance. At least that used to be the case. > >> > > > > That is what i mean. I am not aware of any such scenario's today. Again, I might be overlooking it. > > Would only show up if you are doing PCI passthrough, I believe. > > Also possible that they never leveraged the support in libvirt even > after we got the kernel support merged. But not to say that it wouldn't > improve their security nonetheless today... > > Thanks, I haven't noticed that. Your patch would not break that functionality. Thanks for your patch, i will allow me to start labeling some files in /sys as well I just really did not feel comfortable by relying on systemd-tmpfiles for that. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpzkHXdBlmWZ.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
