SELinuxProject/selinux-kernel

RFE: add genfscon support for regex paths

Opened this issue · 1 comments

cgzones commented

Currently one could not further restrict the access to the kernel pseudo filesystem sysfs.
Paths like /sys/bus/usb/devices/ or /sys/class/net/eth0 could be labeled, but these files are symlinks to hardware dependent files, e.g. /sys/class/net/eth0 -> ../../devices/pci0000:00/0000:00:1c.5/0000:05:00.0/net/eth0 or /sys/bus/usb/devices/usb1 -> ../../../devices/pci0000:00/0000:00:1a.0/usb1.
If genfscon would support regular expressions in the path argument one could label these files:

genfscon sysfs /devices/(.*/)+usb[0-9]* gen_context(system_u:object_r:sysfs_usb_t,s0)
genfscon sysfs /devices/(.*/)+net gen_context(system_u:object_r:sysfs_net_t,s0)
stephensmalley commented

Android init does the equivalent of a restorecon -R /sys on boot, so all sysfs entries can be labeled based on file_contexts, which supports regexes; this required some careful optimization to minimize boot time, which has been ported upstream into libselinux selinux_restorecon() used by newer policycoreutils restorecon (2.6 and later). Linux distributions have to date chosen to only label specific /sys entries via systemd tmpfiles.d (e.g. see /usr/lib/tmpfiles.d/selinux-policy.conf in Fedora), which likewise will be based on file_contexts; you should be able to use the Z option (notice capitalization) to recursively relabel a directory tree.
One other related point is that in Android, they wanted to be able to assign labels to specific device nodes based on the symbolic link name rather than the real name, so that a single file_contexts file could be used by all builds of a device independent of the particular partition number assignment. This was accommodated by introducing a selabel_lookup_best_match(3) API that could be used by ueventd (Android udev equivalent) when creating device nodes; in the ueventd case at least, it knows the symbolic link names up front so we can make a choice at device node creation time based on the best match for any of the available names. selabel_lookup_best_match() was also upstreamed to selinux userspace, but I'm not aware of anyone having modified udev to use it to date.