From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 10 Jul 2012 08:33:01 -0400 Subject: [refpolicy] Questions about genfscon In-Reply-To: References: Message-ID: <4FFC20FD.9000907@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/09/12 14:35, Haiqing Jiang wrote: > Thanks for reading this email. I have a quick question about the syntax of "genfscon". > I want to re-label some files' context under /proc directory. From current implementation I can find that > all the contexts under /proc using genfscon syntax in the file of "ocontext". Then I tried the following cases, > and the confusions are coming: > > Case 1: I imitated the labeling syntax in the file of "ocontext", like: genfscon proc /XXX u:object_r:xxx:s0; > The contexts are changed after re-built. (Working fine) > Case 2: I didn't modify in the "ocontext" file, instead I modify in the file of "file_context", like: genfscon proc /XXX u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not working) > Case 3: I didn't modify in the "ocontext" file, instead I modify in the file of "file_context" and without using genfscon syntax, like: /proc/XXX u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not working) > Case 4: I didn't modify in the "ocontext" file, instead I modify in the file of "sepolicy.fc" under /device/samsung/tuna/ and using "genfscon" syntax and regular label syntax, like: genfscon proc /XXX u:object_r:xxx:s0 and /proc/XXX u:object_r:xxx:s0; They don't work. I cannot find the new contexts. (Not working) > > In all, the only way I can do is to label /proc files contexts in the file of "ocontext" and to use "genfscon" syntax. > Could someone explain the reasons? Thanks a lot. The short answer is its because proc is a pseudo filesystem and has no persistent storage. File_contexts is used to initialize the labeling of filesystems with persistent storage, e.g. ext4. If you're looking for further discussion, the NSA SELinux mail list is more appropriate. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com