Re: [PATCH] selinux: enable genfscon labeling for securityfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 16, 2021 at 1:41 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
> On Wed, 15 Sept 2021 at 20:28, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >
> > On Wed, Sep 15, 2021 at 12:24 PM Christian Göttsche
> > <cgzones@xxxxxxxxxxxxxx> wrote:
> > >
> > > Add support for genfscon per-file labeling of securityfs files. This allows
> > > for separate labels and therby permissions for different files, e.g.
> > > /sys/kernel/security/integrity/ima/policy.
> > >
> > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > > ---
> > >  security/selinux/hooks.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > Hi Christian,
> >
> > It would be nice if you could add some additional notes on how this
> > was tested to the description above.
> >
> > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > > index 6517f221d52c..a18626424731 100644
> > > --- a/security/selinux/hooks.c
> > > +++ b/security/selinux/hooks.c
> > > @@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> > >             !strcmp(sb->s_type->name, "tracefs") ||
> > >             !strcmp(sb->s_type->name, "binder") ||
> > >             !strcmp(sb->s_type->name, "bpf") ||
> > > -           !strcmp(sb->s_type->name, "pstore"))
> > > +           !strcmp(sb->s_type->name, "pstore") ||
> > > +           !strcmp(sb->s_type->name, "securityfs"))
> > >                 sbsec->flags |= SE_SBGENFS;
> > >
> > >         if (!strcmp(sb->s_type->name, "sysfs") ||
> > > --
> > > 2.33.0
> >
> > --
> > paul moore
> > www.paul-moore.com
>
> Something like:
>
>     Add support for genfscon per-file labeling of securityfs files. This allows
>     for separate labels and thereby access control for different files.
>     For example a genfscon statement
>         genfscon securityfs /integrity/ima/policy
> system_u:object_r:ima_policy_t:s0
>     will set a specific label to the IMA policy file and thus allow to
> control the ability
>     to set the IMA policy.
>     Setting labels directly, e.g. via chcon(1) or setfiles(8), is
> still not supported.
>
> ?

That's a much better description of the functionality, especially for
those who may not be very familiar with SELinux, thank you.  However I
was hoping to also hear some confirmation that you have tested this
and it worked without problem?

-- 
paul moore
www.paul-moore.com




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux