Am Mi., 18. Dez. 2019 um 16:35 Uhr schrieb Stephen Smalley <sds@xxxxxxxxxxxxx>: > > On 12/18/19 10:13 AM, Christian Göttsche wrote: > > Hi, > > > > I am trying to refine contexts of sysfs. > > > > When using genfscon statements like: > > genfscon sysfs / system_u:object_r:sysfs_t:s0 > > genfscon sysfs /class/net system_u:object_r:net_sysfs_t:s0 > > genfscon sysfs /devices system_u:object_r:generic_device_sysfs_t:s0 > > genfscon sysfs /devices/system/cpu system_u:object_r:cpu_sysfs_t:s0 > > genfscon sysfs /devices/system/cpu/online > > system_u:object_r:cpu_online_sysfs_t:s0 > > genfscon sysfs /firmware system_u:object_r:firmware_sysfs_t:s0 > > genfscon sysfs /module/apparmor system_u:object_r:apparmor_sysfs_t:s0 > > > > and file context definitions like: > > /sys(/.*)? > > gen_context(system_u:object_r:sysfs_t,s0) > > /sys/module/apparmor(/.*)? > > gen_context(system_u:object_r:apparmor_sysfs_t,s0) > > /sys/devices/system/cpu(/.*)? > > gen_context(system_u:object_r:cpu_sysfs_t,s0) > > /sys/devices/system/cpu/online -- > > gen_context(system_u:object_r:cpu_online_sysfs_t,s0) > > /sys/firmware(/.*)? > > gen_context(system_u:object_r:firmware_sysfs_t,s0) > > /sys/devices(/.*)? > > gen_context(system_u:object_r:generic_device_sysfs_t,s0) > > /sys/devices/.*/sd[a-z](/.*)? > > gen_context(system_u:object_r:harddrive_sysfs_t,s0) > > /sys/devices/.*/hwmon(/.*)? > > gen_context(system_u:object_r:hwmon_sysfs_t,s0) > > /sys/class/net(/.*)? > > gen_context(system_u:object_r:net_sysfs_t,s0) > > /sys/devices/.*/net(/.*)? > > gen_context(system_u:object_r:net_sysfs_t,s0) > > > > with a systemd tmpfiles entry: > > #Type Path Mode UID GID Age Argument > > Z /sys - - - - - > > > > I still get incorrect labeled entries after boot: > > > > $ restorecon -v -R -n / > > Would relabel /sys/devices/platform/intel_rapl_msr.0/subsystem from > > system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/0-0:AD1980/subsystem > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/device > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/subsystem > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/device > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/subsystem > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/device > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/subsystem > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/device > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/subsystem > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/device > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/subsystem > > from system_u:object_r:sysfs_t:s0 to > > system_u:object_r:generic_device_sysfs_t:s0 > > > > Using auditallow statements reveals no accesses. > > > > How can I enforce these entries to be created with correct labels? > > kernel version? v5.2 introduced improved sysfs/kernfs support for > inheritance of SELinux labels, circa commit > e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security > of newly created nodes"). Default Debian sid kernel: Linux debian-test 5.3.0-3-amd64 #1 SMP Debian 5.3.15-1 (2019-12-07) x86_64 GNU/Linux Somehow symlinks do not inherit their parent label. They all have the root-sysfs label. Remounting sysfs with `mount -o remount -t sysfs /sys` leaves all symlinks with the root-sysfs label. Notes: This is a custom refpolicy based policy. (the kernel module was modified) Also happens in permissive mode. $ compute_create system_u:system_r:kernel_t:s0 system_u:object_r:generic_device_sysfs_t:s0 lnk_file system_u:object_r:generic_device_sysfs_t:s0