On Mon, Mar 2, 2020 at 10:44 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Hi, > > currently the target context of the security:setbool permission check > is hardcoded to the security-initial-sid.[1][2] > Nowadays it is possible to label the boolean pseudo files via genfscon. > > Is this by design or did nobody yet make it possible to base the check > on the actual file-context? > > Or is the current access limitation to booleans via the file:write > permission to the boolean pseudo-files sufficient? I would think the file write check suffices if you want that level of granularity, while keeping the setbool check as a coarse-grained control over who can set booleans at all. setbool is also used to control the ability to commit pending bools. Most of the security permissions predate selinuxfs itself and harken back to the original system call interface although that wouldn't be the case for booleans. > > > [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234 > [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290
