On Fri, Oct 23, 2020 at 2:05 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Fri, Oct 23, 2020 at 12:02 PM Ian M <merinian@xxxxxxxxx> wrote: > > > > Hello, > > > > I hope this is the right list for this question: > > > > I've got an embedded system that uses its initramfs as its root filesystem as well. At boot, after the selinux policy loads, everything on the rootfs is incorrectly labeled as system_u:object_r:root_t. I have temporarily worked around this by adding a restorecon on the rootfs at boot, but IIRC, when I worked on the Android integration we had to do the same thing. Android comes with it's own init in the ramdisk, so we just called restorecon on the parts of ramdisk that were of interest within the init daemon codebase itself. I don't think theirs anyway around that IIRC as the CPIO archive doesn't support xattrs. I do recall seeing this patchset: https://lwn.net/Articles/788922/ I didn't look much into it, but if that got merged, you might be able to apply labels to ramdisk images. > since the rootfs is a ramdisk the changes do not survive a system reboot. > > > > I may be incorrect, but my understanding (assumption?) is that the labels would be applied when the policy is loaded at boot. So I cannot understand why the labels are always incorrect. > > > Filesystem labels are not applied when the policy is labeled. On > filesystems that support xattrs, a fs_use_xattr rule is used to tell > SELinux to use the label stored in the security.selinux xattrs, but > the filesystem will still have to be labeled initially. If the fs does > not support xattrs and every file can be labeled the same, then a > genfscon rule can be used. > > I am not sure of your exact case, but you can find more information in > the SELinux Notebook - See > https://github.com/SELinuxProject/selinux-notebook > > Jim > > > > > Thanks, > > > > Ian
