Re: incorrect sysfs contexts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Mi., 18. Dez. 2019 um 16:35 Uhr schrieb Stephen Smalley <sds@xxxxxxxxxxxxx>:
>
> On 12/18/19 10:13 AM, Christian Göttsche wrote:
> > Hi,
> >
> > I am trying to refine contexts of sysfs.
> >
> > When using genfscon statements like:
> >      genfscon sysfs /  system_u:object_r:sysfs_t:s0
> >      genfscon sysfs /class/net  system_u:object_r:net_sysfs_t:s0
> >      genfscon sysfs /devices  system_u:object_r:generic_device_sysfs_t:s0
> >      genfscon sysfs /devices/system/cpu  system_u:object_r:cpu_sysfs_t:s0
> >      genfscon sysfs /devices/system/cpu/online
> > system_u:object_r:cpu_online_sysfs_t:s0
> >      genfscon sysfs /firmware  system_u:object_r:firmware_sysfs_t:s0
> >      genfscon sysfs /module/apparmor  system_u:object_r:apparmor_sysfs_t:s0
> >
> > and file context definitions like:
> >      /sys(/.*)?
> > gen_context(system_u:object_r:sysfs_t,s0)
> >      /sys/module/apparmor(/.*)?
> > gen_context(system_u:object_r:apparmor_sysfs_t,s0)
> >      /sys/devices/system/cpu(/.*)?
> > gen_context(system_u:object_r:cpu_sysfs_t,s0)
> >      /sys/devices/system/cpu/online          --
> > gen_context(system_u:object_r:cpu_online_sysfs_t,s0)
> >      /sys/firmware(/.*)?
> > gen_context(system_u:object_r:firmware_sysfs_t,s0)
> >      /sys/devices(/.*)?
> > gen_context(system_u:object_r:generic_device_sysfs_t,s0)
> >      /sys/devices/.*/sd[a-z](/.*)?
> > gen_context(system_u:object_r:harddrive_sysfs_t,s0)
> >      /sys/devices/.*/hwmon(/.*)?
> > gen_context(system_u:object_r:hwmon_sysfs_t,s0)
> >      /sys/class/net(/.*)?
> > gen_context(system_u:object_r:net_sysfs_t,s0)
> >      /sys/devices/.*/net(/.*)?
> > gen_context(system_u:object_r:net_sysfs_t,s0)
> >
> > with a systemd tmpfiles entry:
> >      #Type Path        Mode UID  GID  Age Argument
> >      Z     /sys        -    -    -    -   -
> >
> > I still get incorrect labeled entries after boot:
> >
> > $ restorecon -v -R -n /
> > Would relabel /sys/devices/platform/intel_rapl_msr.0/subsystem from
> > system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/0-0:AD1980/subsystem
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/device
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/subsystem
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/device
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/subsystem
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/device
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/subsystem
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/device
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/subsystem
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/device
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/subsystem
> > from system_u:object_r:sysfs_t:s0 to
> > system_u:object_r:generic_device_sysfs_t:s0
> >
> > Using auditallow statements reveals no accesses.
> >
> > How can I enforce these entries to be created with correct labels?
>
> kernel version? v5.2 introduced improved sysfs/kernfs support for
> inheritance of SELinux labels, circa commit
> e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security
> of newly created nodes").

Default Debian sid kernel:
Linux debian-test 5.3.0-3-amd64 #1 SMP Debian 5.3.15-1 (2019-12-07)
x86_64 GNU/Linux

Somehow symlinks do not inherit their parent label.
They all have the root-sysfs label.

Remounting sysfs with `mount -o remount -t sysfs /sys` leaves all
symlinks with the root-sysfs label.

Notes:
This is a custom refpolicy based policy. (the kernel module was modified)
Also happens in permissive mode.
$ compute_create system_u:system_r:kernel_t:s0
system_u:object_r:generic_device_sysfs_t:s0 lnk_file
system_u:object_r:generic_device_sysfs_t:s0
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux