Discussion:
Labeling sysfs files
David Graziano
2017-10-02 21:54:54 UTC
Permalink
I'm trying to find a way of labeling specific files/directories in
sysfs that do not exist at boot time. I'm running an embedded SELinux
enabled system (4.1 series kernel) where at boot there is an init
script performing a restorecon on /sys. Sometime later a usb cellular
modem is powered on and enumerated at which point the it's sysfs
sub-directory structure is added.

This directory path is correctly getting my custom label via
restorecon during boot
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/

After the cellular modem is powered on the following directory
structure is created.
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/1-1/1-1:1.10/net/wwan1/qmi
Everything "1-1" and lower that is getting the "default" sysfs_t label.

Is there a method of labeling that newly added sub-directory structure
other than running restorecond or restorecon again? I specifically
need to control access to the "qmi" file. I've tried adding a genfscon
to the policy but it doesn't seem to work although I don't know if
it's suppose to.

Any advice would be appreciated.
William Roberts
2017-10-02 22:24:49 UTC
Permalink
On Mon, Oct 2, 2017 at 2:54 PM, David Graziano
Post by David Graziano
I'm trying to find a way of labeling specific files/directories in
sysfs that do not exist at boot time. I'm running an embedded SELinux
enabled system (4.1 series kernel) where at boot there is an init
script performing a restorecon on /sys. Sometime later a usb cellular
modem is powered on and enumerated at which point the it's sysfs
sub-directory structure is added.
This directory path is correctly getting my custom label via
restorecon during boot
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/
After the cellular modem is powered on the following directory
structure is created.
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/1-1/1-1:1.10/net/wwan1/qmi
Everything "1-1" and lower that is getting the "default" sysfs_t label.
Is there a method of labeling that newly added sub-directory structure
other than running restorecond or restorecon again? I specifically
need to control access to the "qmi" file. I've tried adding a genfscon
to the policy but it doesn't seem to work although I don't know if
it's suppose to.
Any advice would be appreciated.
Because of sysfs's dynamic nature, labeling is hard, as you found out.
We have these
issues on Android as well. The best solution for us was to use/add
genfscon support:
http://permalink.gmane.org/gmane.linux.kernel.commits.head/535516

But that patch looks like it won't apply to 4.1 as none of the
SB_GENFS infrastructure
is there.

You'd have to call the restorecon in a part where the file exists but
before any clients
start using it. Perhaps you could register something via inotify (I
don't know offhand
if that works on sysfs).

If it's a service, maybe you could have the service run/trigger the
restorecon on starup,
perhaps vis init/systemd scripts.

Or perhaps you can get on a newer kernel, looks like 4.4 has it:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/security/selinux/hooks.c?h=v4.4.89#n742
Stephen Smalley
2017-10-03 12:58:27 UTC
Permalink
Post by David Graziano
I'm trying to find a way of labeling specific files/directories in
sysfs that do not exist at boot time. I'm running an embedded SELinux
enabled system (4.1 series kernel) where at boot there is an init
script performing a restorecon on /sys.  Sometime later a usb
cellular
modem is powered on and enumerated at which point the it's sysfs
sub-directory structure is added.
This directory path is correctly getting my custom label via
restorecon during boot
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/
After the cellular modem is powered on the following directory
structure is created.
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/1-1/1-
1:1.10/net/wwan1/qmi
Everything "1-1" and lower that is getting the "default" sysfs_t label.
Is there a method of labeling that newly added sub-directory
structure
other than running restorecond or restorecon again? I specifically
need to control access to the "qmi" file. I've tried adding a
genfscon
to the policy but it doesn't seem to work although I don't know if
it's suppose to.
Any advice would be appreciated.
You could cherry-pick kernel commits
134509d54e4e98888be2697a92cb4b48957b792b and
8e01472078763ebc1eaea089a1adab75dd982ccd to gain support for genfscon
labeling of sysfs entries. Looks like they apply ok on 4.1, although I
haven't built or tested that. I think that's your best option.
David Graziano
2017-10-03 13:13:41 UTC
Permalink
Post by Stephen Smalley
Post by David Graziano
I'm trying to find a way of labeling specific files/directories in
sysfs that do not exist at boot time. I'm running an embedded SELinux
enabled system (4.1 series kernel) where at boot there is an init
script performing a restorecon on /sys. Sometime later a usb
cellular
modem is powered on and enumerated at which point the it's sysfs
sub-directory structure is added.
This directory path is correctly getting my custom label via
restorecon during boot
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/
After the cellular modem is powered on the following directory
structure is created.
/sys/devices/platform/xxxx/yyyy/fsl-ehci.0/usb1/1-1/1-
1:1.10/net/wwan1/qmi
Everything "1-1" and lower that is getting the "default" sysfs_t label.
Is there a method of labeling that newly added sub-directory
structure
other than running restorecond or restorecon again? I specifically
need to control access to the "qmi" file. I've tried adding a
genfscon
to the policy but it doesn't seem to work although I don't know if
it's suppose to.
Any advice would be appreciated.
You could cherry-pick kernel commits
134509d54e4e98888be2697a92cb4b48957b792b and
8e01472078763ebc1eaea089a1adab75dd982ccd to gain support for genfscon
labeling of sysfs entries. Looks like they apply ok on 4.1, although I
haven't built or tested that. I think that's your best option.
Thanks for the info. I will try cherry-picking those commits.
- David

Loading...