[refpolicy] kernel_devices.patch

Stephen Smalley sds at tycho.nsa.gov
Mon Jun 7 12:42:17 CDT 2010


On Mon, 2010-06-07 at 11:52 -0400, Daniel J Walsh wrote:
> On 06/07/2010 09:39 AM, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
> >> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> >>> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> >>>>
> >>>> Added default label for /sys so libvirt could relabel to it.
> >>>
> >>> I don't understand this.  There should be no files labeled sysfs_t,
> >>> except for the entries created by the kernel on the fs itself, which get
> >>> the right label already.
> >>>
> >> libvirt currently does the equivalent of
> >>
> >> chcon svirt_t:MCS1 DEVICE
> >> Run QEMU
> >> restorecon DEVICE
> >>
> >> If /sys is<<none>>  then it does not have a label to change the context
> >> back to.  And leaves the context with a label svirt_t:MCS1.  If it later
> >> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
> >
> > I still don't understand.  There are no device nodes in sysfs.
> >
> sysfs supports labeling now.  Certain objects need to have a 
> svirt_image_t:MCS label associated with them under /sys (Usb devices?) 
> When libvirt needs to changes these labels back to the default it asks 
> matchpathcon and it returns sysfs_t.

This is to support access to PCI device resources via sysfs.
See Documentation/sysfs-pci.txt.

-- 
Stephen Smalley
National Security Agency



More information about the refpolicy mailing list