On 11/16/2016 07:10 PM, Stephen Smalley wrote: > On 11/16/2016 12:59 PM, Dominick Grift wrote: >> >> I forgot that add the genfscon's for selinuxfs and securityfs and >> the selinux filesystem ended up associated with the context >> associated with the unlabeled initial sid. >> >> Why did the security initial sid not kick in instead of unlabeled? >> >> If the security isid is not there to ensure selinuxfs is labeled >> appropriately then what is it there for? > > $ grep -r SECINITSID_SECURITY security/selinux > security/selinux/selinuxfs.c: return avc_has_perm(sid, > SECINITSID_SECURITY, > > It is used as the target/object SID for the permission checks on the > "security" class performed upon operations on selinuxfs (and > pre-selinuxfs, it was likewise used for the corresponding permission > checks on the added SELinux system calls). > > Could probably make it used as the default for selinuxfs nodes as > well, but not presently done. > Thanks that explains a lot and make me wonder whether i should just move selinuxfs/securityfs out of the "sec" module and into the "fs" module. After all , its just another fs and not different from any other in that sense. Traditionally the security isid context shares the context of the fs in common policy but I suppose it does not have to be that way -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
