Hi all,
Thanks for reading this email. I have a quick question about the syntax of
"genfscon".
I want to re-label some files' context under /proc directory. From current
implementation I can find that
all the contexts under /proc using genfscon syntax in the file of
"ocontext". Then I tried the following cases,
and the confusions are coming:
Case 1: I imitated the labeling syntax in the file of "ocontext", like:
genfscon proc /XXX u:object_r:xxx:s0;
The contexts are changed after re-built. (Working fine)
Case 2: I didn't modify in the "ocontext" file, instead I modify in the
file of "file_context", like: genfscon proc /XXX u:object_r:xxx:s0; It
doesn't work. I cannot find the new contexts. (Not working)
Case 3: I didn't modify in the "ocontext" file, instead I modify in the
file of "file_context" and without using genfscon syntax, like: /proc/XXX
u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not
working)
Case 4: I didn't modify in the "ocontext" file, instead I modify in the
file of "sepolicy.fc" under /device/samsung/tuna/ and using "genfscon"
syntax and regular label syntax, like: genfscon proc /XXX u:object_r:xxx:s0
and /proc/XXX u:object_r:xxx:s0; They don't work. I cannot find the new
contexts. (Not working)
In all, the only way I can do is to label /proc files contexts in the file
of "ocontext" and to use "genfscon" syntax.
Could someone explain the reasons? Thanks a lot.
--
-----------------------------------
Haiqing Jiang, PH.D student
Computer Science Department, North Carolina State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120709/79d0ddb2/attachment.html
On 07/09/12 14:35, Haiqing Jiang wrote:
> Thanks for reading this email. I have a quick question about the syntax of "genfscon".
> I want to re-label some files' context under /proc directory. From current implementation I can find that
> all the contexts under /proc using genfscon syntax in the file of "ocontext". Then I tried the following cases,
> and the confusions are coming:
>
> Case 1: I imitated the labeling syntax in the file of "ocontext", like: genfscon proc /XXX u:object_r:xxx:s0;
> The contexts are changed after re-built. (Working fine)
> Case 2: I didn't modify in the "ocontext" file, instead I modify in the file of "file_context", like: genfscon proc /XXX u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not working)
> Case 3: I didn't modify in the "ocontext" file, instead I modify in the file of "file_context" and without using genfscon syntax, like: /proc/XXX u:object_r:xxx:s0; It doesn't work. I cannot find the new contexts. (Not working)
> Case 4: I didn't modify in the "ocontext" file, instead I modify in the file of "sepolicy.fc" under /device/samsung/tuna/ and using "genfscon" syntax and regular label syntax, like: genfscon proc /XXX u:object_r:xxx:s0 and /proc/XXX u:object_r:xxx:s0; They don't work. I cannot find the new contexts. (Not working)
>
> In all, the only way I can do is to label /proc files contexts in the file of "ocontext" and to use "genfscon" syntax.
> Could someone explain the reasons? Thanks a lot.
The short answer is its because proc is a pseudo filesystem and has no persistent storage. File_contexts is used to initialize the labeling of filesystems with persistent storage, e.g. ext4. If you're looking for further discussion, the NSA SELinux mail list is more appropriate.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com