On 12/18/19 10:13 AM, Christian Göttsche wrote:
Hi,
I am trying to refine contexts of sysfs.
When using genfscon statements like:
genfscon sysfs / system_u:object_r:sysfs_t:s0
genfscon sysfs /class/net system_u:object_r:net_sysfs_t:s0
genfscon sysfs /devices system_u:object_r:generic_device_sysfs_t:s0
genfscon sysfs /devices/system/cpu system_u:object_r:cpu_sysfs_t:s0
genfscon sysfs /devices/system/cpu/online
system_u:object_r:cpu_online_sysfs_t:s0
genfscon sysfs /firmware system_u:object_r:firmware_sysfs_t:s0
genfscon sysfs /module/apparmor system_u:object_r:apparmor_sysfs_t:s0
and file context definitions like:
/sys(/.*)?
gen_context(system_u:object_r:sysfs_t,s0)
/sys/module/apparmor(/.*)?
gen_context(system_u:object_r:apparmor_sysfs_t,s0)
/sys/devices/system/cpu(/.*)?
gen_context(system_u:object_r:cpu_sysfs_t,s0)
/sys/devices/system/cpu/online --
gen_context(system_u:object_r:cpu_online_sysfs_t,s0)
/sys/firmware(/.*)?
gen_context(system_u:object_r:firmware_sysfs_t,s0)
/sys/devices(/.*)?
gen_context(system_u:object_r:generic_device_sysfs_t,s0)
/sys/devices/.*/sd[a-z](/.*)?
gen_context(system_u:object_r:harddrive_sysfs_t,s0)
/sys/devices/.*/hwmon(/.*)?
gen_context(system_u:object_r:hwmon_sysfs_t,s0)
/sys/class/net(/.*)?
gen_context(system_u:object_r:net_sysfs_t,s0)
/sys/devices/.*/net(/.*)?
gen_context(system_u:object_r:net_sysfs_t,s0)
with a systemd tmpfiles entry:
#Type Path Mode UID GID Age Argument
Z /sys - - - - -
I still get incorrect labeled entries after boot:
$ restorecon -v -R -n /
Would relabel /sys/devices/platform/intel_rapl_msr.0/subsystem from
system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/0-0:AD1980/subsystem
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/device
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/subsystem
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/device
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/subsystem
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/device
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/subsystem
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/device
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/subsystem
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/device
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/subsystem
from system_u:object_r:sysfs_t:s0 to
system_u:object_r:generic_device_sysfs_t:s0
Using auditallow statements reveals no accesses.
How can I enforce these entries to be created with correct labels?
kernel version? v5.2 introduced improved sysfs/kernfs support for
inheritance of SELinux labels, circa commit
e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security
of newly created nodes").
