From: gizmo@giz-works.com (Chris Richards)
Date: Wed, 29 Dec 2010 13:32:37 -0600
Subject: [refpolicy] file contexts for /proc/sys/* missing
In-Reply-To: <20101229185611.GA21308@siphos.be>
References: <20101229185611.GA21308@siphos.be>
Message-ID: <4D1B8CD5.2050705@giz-works.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/29/2010 12:56 PM, Sven Vermeulen wrote:
> Hi all,
>
> My system seems to be unable to give proper security contexts to the "files"
> in /proc/sys/*:
>
> hpl sys # ls -laZ /proc/sys/
> total 0
> dr-xr-xr-x.   1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 .
> dr-xr-xr-x. 154 root root  system_u:object_r:proc_t   0 Dec 29 18:45 ..
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:31 abi
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:31 debug
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:31 dev
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 18:45 fs
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:31 kernel
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:29 net
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:31 sunrpc
> dr-xr-xr-x    0 root root  ?                          0 Dec 29 19:31 vm
>
Interesting, I have the same  behavior here, both on Fedora and my 
Gentoo system.

matchpathcon /proc/sys says 'No such file or directory' which suggests 
that no contexts are defined for that part of the tree.  Interestingly 
enough, /proc/sys/fs/binfmt_misc DOES have a context, as do the 
contents.  This suggests that those files may be labeled by a domtrans 
or filetrans.

Someone who knows more than me will have to comment further.

> It seems that kernel.te should generate the necessary contexts, and for some
> other locations (like /proc/net) it does:
>
> dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t        0 Dec 29 19:52 .
> dr-x------. 7 root wheel staff_u:staff_r:staff_t        0 Dec 29 19:52 ..
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t   0 Dec 29 19:52 arp
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t   0 Dec 29 19:52 connector
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t   0 Dec 29 19:52 dev
> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t   0 Dec 29 19:52 dev_mcast
> [...]
>
> How do I go about to debug this? I was hoping to put some debugging
> statements along the line of the genfscon macro, but can't find its
> definition anywhere.
>
> Wkr,
> 	Sven Vermeulen
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101229/057e6219/attachment.html