Christian Göttsche <cgzones@xxxxxxxxxxxxxx> writes: > Hi, > > currently the target context of the security:setbool permission check > is hardcoded to the security-initial-sid.[1][2] > Nowadays it is possible to label the boolean pseudo files via genfscon. > > Is this by design or did nobody yet make it possible to base the check > on the actual file-context? > > Or is the current access limitation to booleans via the file:write > permission to the boolean pseudo-files sufficient? >From my experience blocking write access to the bool file is sufficient > > > [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234 > [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290 -- Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
