From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 5 Mar 2014 12:36:33 -0500
Subject: [refpolicy] resotorecon/setfiles generating avc: denied {
 getattr } on pseudo filesystems
In-Reply-To: <20140305002849.78607352@fornost.bigon.be>
References: <20140304171237.41758378@soldur.bigon.be>	<5315FFE0.7010009@tresys.com>
	<20140305002849.78607352@fornost.bigon.be>
Message-ID: <531760A1.7010400@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/04/2014 06:28 PM, Laurent Bigonville wrote:
> Le Tue, 4 Mar 2014 11:31:28 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ??crit :
> 
>> On 03/04/2014 11:12 AM, Laurent Bigonville wrote:
> [...]
>>> Talking a bit with Dominick, he proposed to create a new
>>> "xattrfs" attribute attach it to all the filesystems and then use it
>>> instead of fs_t in the allow rules. This should probably also
>>> simplify/fix situations where files are moved around these pseudo-fs
>>> and real fs.
>>
>> It sounds reasonable to me, now that fs_t is not the only xattr fs.
> 
> Do you know if we can assume that all the fs that currently don't have
> the noxattrfs attribute are actually supporting the xattrs?
 
No, we can't.  The noxattrfs attribute was originally intended for regular filesystems that don't support extended attributes, such as vfat, so it doesn't include non-xattr pseudo filesystems.  We should probably look at restructuring the rules so we can make the set noxattrfs and xattrfs have no intersection, but the union of the two equal to the set of all filesystem types.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com