On Thu, Sep 16, 2021 at 1:41 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > On Wed, 15 Sept 2021 at 20:28, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > On Wed, Sep 15, 2021 at 12:24 PM Christian Göttsche > > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > > > Add support for genfscon per-file labeling of securityfs files. This allows > > > for separate labels and therby permissions for different files, e.g. > > > /sys/kernel/security/integrity/ima/policy. > > > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > --- > > > security/selinux/hooks.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > Hi Christian, > > > > It would be nice if you could add some additional notes on how this > > was tested to the description above. > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index 6517f221d52c..a18626424731 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, > > > !strcmp(sb->s_type->name, "tracefs") || > > > !strcmp(sb->s_type->name, "binder") || > > > !strcmp(sb->s_type->name, "bpf") || > > > - !strcmp(sb->s_type->name, "pstore")) > > > + !strcmp(sb->s_type->name, "pstore") || > > > + !strcmp(sb->s_type->name, "securityfs")) > > > sbsec->flags |= SE_SBGENFS; > > > > > > if (!strcmp(sb->s_type->name, "sysfs") || > > > -- > > > 2.33.0 > > > > -- > > paul moore > > www.paul-moore.com > > Something like: > > Add support for genfscon per-file labeling of securityfs files. This allows > for separate labels and thereby access control for different files. > For example a genfscon statement > genfscon securityfs /integrity/ima/policy > system_u:object_r:ima_policy_t:s0 > will set a specific label to the IMA policy file and thus allow to > control the ability > to set the IMA policy. > Setting labels directly, e.g. via chcon(1) or setfiles(8), is > still not supported. > > ? That's a much better description of the functionality, especially for those who may not be very familiar with SELinux, thank you. However I was hoping to also hear some confirmation that you have tested this and it worked without problem? -- paul moore www.paul-moore.com