From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 03 Jan 2011 16:32:55 -0500 Subject: [refpolicy] file contexts for /proc/sys/* missing In-Reply-To: <4D1B8CD5.2050705@giz-works.com> References: <20101229185611.GA21308@siphos.be> <4D1B8CD5.2050705@giz-works.com> Message-ID: <4D224087.6000109@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/29/2010 02:32 PM, Chris Richards wrote: > On 12/29/2010 12:56 PM, Sven Vermeulen wrote: >> Hi all, >> >> My system seems to be unable to give proper security contexts to the >> "files" >> in /proc/sys/*: >> >> hpl sys # ls -laZ /proc/sys/ >> total 0 >> dr-xr-xr-x. 1 root wheel system_u:object_r:sysctl_t 0 Dec 29 18:45 . >> dr-xr-xr-x. 154 root root system_u:object_r:proc_t 0 Dec 29 18:45 .. >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 abi >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 >> debug >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 dev >> dr-xr-xr-x 0 root root ? 0 Dec 29 18:45 fs >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 >> kernel >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:29 net >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 >> sunrpc >> dr-xr-xr-x 0 root root ? 0 Dec 29 19:31 vm >> > Interesting, I have the same behavior here, both on Fedora and my > Gentoo system. > > matchpathcon /proc/sys says 'No such file or directory' which suggests > that no contexts are defined for that part of the tree. Interestingly > enough, /proc/sys/fs/binfmt_misc DOES have a context, as do the > contents. This suggests that those files may be labeled by a domtrans > or filetrans. > > Someone who knows more than me will have to comment further. > >> It seems that kernel.te should generate the necessary contexts, and >> for some >> other locations (like /proc/net) it does: >> >> dr-xr-xr-x. 6 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 . >> dr-x------. 7 root wheel staff_u:staff_r:staff_t 0 Dec 29 19:52 .. >> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 >> arp >> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 >> connector >> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 >> dev >> -r--r--r--. 1 root wheel system_u:object_r:proc_net_t 0 Dec 29 19:52 >> dev_mcast >> [...] >> >> How do I go about to debug this? I was hoping to put some debugging >> statements along the line of the genfscon macro, but can't find its >> definition anywhere. >> >> Wkr, >> Sven Vermeulen >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Since these are not real files and the context is being generated by the kernel. we do not specify file context. There is a construct in base policy to say how they should be labelled. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0iQIcACgkQrlYvE4MpobOSXgCffF8jg78nZuGAVqFDgA9C1ELF TcEAoJWPMXUWsEs2hs/eWrWOUEfrqVDf =9LCh -----END PGP SIGNATURE-----