Thanks, cpio supporting extended attributes would be very helpful right now. After looking through the ref policy I see there is a genfscon statement for rootfs which is what is labeling everything as root_t. Would I break everything terribly if I removed that and setup an fs_use_xattr for the rootfs? Thanks, Ian Merin > On Oct 23, 2020, at 3:49 PM, William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > > On Fri, Oct 23, 2020 at 2:05 PM James Carter <jwcart2@xxxxxxxxx> wrote: >> >>> On Fri, Oct 23, 2020 at 12:02 PM Ian M <merinian@xxxxxxxxx> wrote: >>> >>> Hello, >>> >>> I hope this is the right list for this question: >>> >>> I've got an embedded system that uses its initramfs as its root filesystem as well. At boot, after the selinux policy loads, everything on the rootfs is incorrectly labeled as system_u:object_r:root_t. I have temporarily worked around this by adding a restorecon on the rootfs at boot, but > > IIRC, when I worked on the Android integration we had to do the same > thing. Android comes with it's own init in the ramdisk, so we just > called restorecon on the parts of > ramdisk that were of interest within the init daemon codebase itself. > I don't think theirs anyway around that IIRC as the CPIO archive > doesn't support xattrs. > > I do recall seeing this patchset: > https://lwn.net/Articles/788922/ > > I didn't look much into it, but if that got merged, you might be able > to apply labels to ramdisk images. > >> since the rootfs is a ramdisk the changes do not survive a system reboot. >>> >>> I may be incorrect, but my understanding (assumption?) is that the labels would be applied when the policy is loaded at boot. So I cannot understand why the labels are always incorrect. >>> >> Filesystem labels are not applied when the policy is labeled. On >> filesystems that support xattrs, a fs_use_xattr rule is used to tell >> SELinux to use the label stored in the security.selinux xattrs, but >> the filesystem will still have to be labeled initially. If the fs does >> not support xattrs and every file can be labeled the same, then a >> genfscon rule can be used. >> >> I am not sure of your exact case, but you can find more information in >> the SELinux Notebook - See >> https://github.com/SELinuxProject/selinux-notebook >> >> Jim >> >>> >>> Thanks, >>> >>> Ian
