On Wed, 15 Sept 2021 at 20:28, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Wed, Sep 15, 2021 at 12:24 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Add support for genfscon per-file labeling of securityfs files. This allows
> > for separate labels and therby permissions for different files, e.g.
> > /sys/kernel/security/integrity/ima/policy.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > ---
> > security/selinux/hooks.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
>
> Hi Christian,
>
> It would be nice if you could add some additional notes on how this
> was tested to the description above.
>
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 6517f221d52c..a18626424731 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> > !strcmp(sb->s_type->name, "tracefs") ||
> > !strcmp(sb->s_type->name, "binder") ||
> > !strcmp(sb->s_type->name, "bpf") ||
> > - !strcmp(sb->s_type->name, "pstore"))
> > + !strcmp(sb->s_type->name, "pstore") ||
> > + !strcmp(sb->s_type->name, "securityfs"))
> > sbsec->flags |= SE_SBGENFS;
> >
> > if (!strcmp(sb->s_type->name, "sysfs") ||
> > --
> > 2.33.0
>
> --
> paul moore
> www.paul-moore.com
Something like:
Add support for genfscon per-file labeling of securityfs files. This allows
for separate labels and thereby access control for different files.
For example a genfscon statement
genfscon securityfs /integrity/ima/policy
system_u:object_r:ima_policy_t:s0
will set a specific label to the IMA policy file and thus allow to
control the ability
to set the IMA policy.
Setting labels directly, e.g. via chcon(1) or setfiles(8), is
still not supported.
?
