On Wed, Jan 8, 2020 at 4:04 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 1/8/20 8:34 AM, Ondrej Mosnacek wrote:
> > On Wed, Dec 18, 2019 at 4:35 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> >> On 12/18/19 10:13 AM, Christian Göttsche wrote:
> >>> Hi,
> >>>
> >>> I am trying to refine contexts of sysfs.
> >>>
> >>> When using genfscon statements like:
> >>> genfscon sysfs / system_u:object_r:sysfs_t:s0
> >>> genfscon sysfs /class/net system_u:object_r:net_sysfs_t:s0
> >>> genfscon sysfs /devices system_u:object_r:generic_device_sysfs_t:s0
> >>> genfscon sysfs /devices/system/cpu system_u:object_r:cpu_sysfs_t:s0
> >>> genfscon sysfs /devices/system/cpu/online
> >>> system_u:object_r:cpu_online_sysfs_t:s0
> >>> genfscon sysfs /firmware system_u:object_r:firmware_sysfs_t:s0
> >>> genfscon sysfs /module/apparmor system_u:object_r:apparmor_sysfs_t:s0
> >>>
> >>> and file context definitions like:
> >>> /sys(/.*)?
> >>> gen_context(system_u:object_r:sysfs_t,s0)
> >>> /sys/module/apparmor(/.*)?
> >>> gen_context(system_u:object_r:apparmor_sysfs_t,s0)
> >>> /sys/devices/system/cpu(/.*)?
> >>> gen_context(system_u:object_r:cpu_sysfs_t,s0)
> >>> /sys/devices/system/cpu/online --
> >>> gen_context(system_u:object_r:cpu_online_sysfs_t,s0)
> >>> /sys/firmware(/.*)?
> >>> gen_context(system_u:object_r:firmware_sysfs_t,s0)
> >>> /sys/devices(/.*)?
> >>> gen_context(system_u:object_r:generic_device_sysfs_t,s0)
> >>> /sys/devices/.*/sd[a-z](/.*)?
> >>> gen_context(system_u:object_r:harddrive_sysfs_t,s0)
> >>> /sys/devices/.*/hwmon(/.*)?
> >>> gen_context(system_u:object_r:hwmon_sysfs_t,s0)
> >>> /sys/class/net(/.*)?
> >>> gen_context(system_u:object_r:net_sysfs_t,s0)
> >>> /sys/devices/.*/net(/.*)?
> >>> gen_context(system_u:object_r:net_sysfs_t,s0)
> >>>
> >>> with a systemd tmpfiles entry:
> >>> #Type Path Mode UID GID Age Argument
> >>> Z /sys - - - - -
> >>>
> >>> I still get incorrect labeled entries after boot:
> >>>
> >>> $ restorecon -v -R -n /
> >>> Would relabel /sys/devices/platform/intel_rapl_msr.0/subsystem from
> >>> system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/0-0:AD1980/subsystem
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/device
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/controlC0/subsystem
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/device
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D1c/subsystem
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/device
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0c/subsystem
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/device
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/subsystem
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/device
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>> Would relabel /sys/devices/pci0000:00/0000:00:05.0/sound/card0/pcmC0D0p/subsystem
> >>> from system_u:object_r:sysfs_t:s0 to
> >>> system_u:object_r:generic_device_sysfs_t:s0
> >>>
> >>> Using auditallow statements reveals no accesses.
> >>>
> >>> How can I enforce these entries to be created with correct labels?
> >>
> >> kernel version? v5.2 introduced improved sysfs/kernfs support for
> >> inheritance of SELinux labels, circa commit
> >> e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security
> >> of newly created nodes").
> >
> > That's correct, since v5.2 the full-name genfs labeling will not work,
> > you will have to substitute these rules with filename type transitions
> > (or set the labels manually).
>
> Wait...is that really true? If so, that's a kernel-userspace interface
> regression, which isn't permitted. New kernel with old policy must
> continue to provide the same behavior. Android certainly relies upon
> extensive labeling of sysfs nodes.
Wait... actually I think it should work. I thought for a while that
the xattr would be updated if a node's attribute would differ from its
parent's, but that's not how the kernfs hook works. It will only
explicitly change a child's xattr context if the parent's one has been
explicitly set (which can usually be done only upon a request from
userspace). Sorry for the false alarm.
Looking at the restorecon output above it looks like all the
mislabeled files are symlinks, so this is likely also caused by the
S_ISLNK() exception.
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
