- Hello -
I have a custom stacked filesystem and I was having difficulty with
security xattrs. I traced it back to missing:
fs_use_xattr myfs gen_context(system_u:object_r:fs_t,s0);
Which works nicely when I rebuild/reinstall the base policy. However
some experimentation and checking of old mailing posts seems to
indicate that it is not possible to achieve this in a policy module.
Because my FS is stacked I would be perfectly happy just to
inherit whatever the fs_use_xattr state of my lower filesystem is.
Is there a best practice for achieving this or do I need to always
rebuild the base policy?
Thank you for your time.
--
TY,
Dan Noland
On Fri, Jun 14, 2019 at 10:01:52PM +0000, Dan Noland wrote:
> - Hello -
>
> I have a custom stacked filesystem and I was having difficulty with
> security xattrs. I traced it back to missing:
>
> fs_use_xattr myfs gen_context(system_u:object_r:fs_t,s0);
>
> Which works nicely when I rebuild/reinstall the base policy. However
> some experimentation and checking of old mailing posts seems to
> indicate that it is not possible to achieve this in a policy module.
>
> Because my FS is stacked I would be perfectly happy just to
> inherit whatever the fs_use_xattr state of my lower filesystem is.
>
> Is there a best practice for achieving this or do I need to always
> rebuild the base policy?
If you are able to use CIL then you might be able to do this:
echo '(fsuse xattr "myfs" (system_u object_r fs_t ((s0)(s0))))' > mytest.cil && sudo semodule -i mytest.cil
>
> Thank you for your time.
>
> --
> TY,
> Dan Noland
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift