On 11/16/2016 12:59 PM, Dominick Grift wrote: > > I forgot that add the genfscon's for selinuxfs and securityfs and > the selinux filesystem ended up associated with the context > associated with the unlabeled initial sid. > > Why did the security initial sid not kick in instead of unlabeled? > > If the security isid is not there to ensure selinuxfs is labeled > appropriately then what is it there for? $ grep -r SECINITSID_SECURITY security/selinux security/selinux/selinuxfs.c: return avc_has_perm(sid, SECINITSID_SECURITY, It is used as the target/object SID for the permission checks on the "security" class performed upon operations on selinuxfs (and pre-selinuxfs, it was likewise used for the corresponding permission checks on the added SELinux system calls). Could probably make it used as the default for selinuxfs nodes as well, but not presently done. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
