On Thu, Sep 16, 2021 at 10:07 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Thu, Sep 16, 2021 at 1:41 PM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > On Wed, 15 Sept 2021 at 20:28, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > > > > On Wed, Sep 15, 2021 at 12:24 PM Christian Göttsche > > > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > > > > > Add support for genfscon per-file labeling of securityfs files. This allows > > > > for separate labels and therby permissions for different files, e.g. > > > > /sys/kernel/security/integrity/ima/policy. > > > > > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > --- > > > > security/selinux/hooks.c | 3 ++- > > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > Hi Christian, > > > > > > It would be nice if you could add some additional notes on how this > > > was tested to the description above. > > > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > > index 6517f221d52c..a18626424731 100644 > > > > --- a/security/selinux/hooks.c > > > > +++ b/security/selinux/hooks.c > > > > @@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, > > > > !strcmp(sb->s_type->name, "tracefs") || > > > > !strcmp(sb->s_type->name, "binder") || > > > > !strcmp(sb->s_type->name, "bpf") || > > > > - !strcmp(sb->s_type->name, "pstore")) > > > > + !strcmp(sb->s_type->name, "pstore") || > > > > + !strcmp(sb->s_type->name, "securityfs")) > > > > sbsec->flags |= SE_SBGENFS; > > > > > > > > if (!strcmp(sb->s_type->name, "sysfs") || > > > > -- > > > > 2.33.0 > > > > > > -- > > > paul moore > > > www.paul-moore.com > > > > Something like: > > > > Add support for genfscon per-file labeling of securityfs files. This allows > > for separate labels and thereby access control for different files. > > For example a genfscon statement > > genfscon securityfs /integrity/ima/policy > > system_u:object_r:ima_policy_t:s0 > > will set a specific label to the IMA policy file and thus allow to > > control the ability > > to set the IMA policy. > > Setting labels directly, e.g. via chcon(1) or setfiles(8), is > > still not supported. > > > > ? > > That's a much better description of the functionality, especially for > those who may not be very familiar with SELinux, thank you. However I > was hoping to also hear some confirmation that you have tested this > and it worked without problem? Hi Christian, my apologies on the delay, I was distracted by a few other SELinux issues. Thank you for sending out your testing notes in the meantime. Are you okay if I replace the original commit description with your more verbose version? If not, could you resend the patch with the update commit description? Thanks. -- paul moore www.paul-moore.com
