On Tue, Sep 28, 2021 at 11:40 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Add support for genfscon per-file labeling of securityfs files. This allows > for separate labels and thereby access control for different files. > For example a genfscon statement > > genfscon securityfs /integrity/ima/policy system_u:object_r:ima_policy_t:s0 > > will set a private label to the IMA policy file and thus allow to > control the ability to set the IMA policy. > Setting labels directly with setxattr(2), e.g. by chcon(1) or > setfiles(8), is still not supported. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > v2: > - improve commit description > > > security/selinux/hooks.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Merged into selinux/next, thanks Christian! > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 012e8504ed9e..549f631e9832 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, > !strcmp(sb->s_type->name, "tracefs") || > !strcmp(sb->s_type->name, "binder") || > !strcmp(sb->s_type->name, "bpf") || > - !strcmp(sb->s_type->name, "pstore")) > + !strcmp(sb->s_type->name, "pstore") || > + !strcmp(sb->s_type->name, "securityfs")) > sbsec->flags |= SE_SBGENFS; > > if (!strcmp(sb->s_type->name, "sysfs") || > -- > 2.33.0 -- paul moore www.paul-moore.com
