From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [SELinux-notebook PATCH v8] objects.md: some clarifications
Date: Fri, 24 Jul 2020 09:26:08 -0400 [thread overview]
Message-ID: <CAEjxPJ4TsTfNELBGguF7+1asKTnMdkSdNMu+R15PC=ixgeOX7Q@mail.gmail.com> (raw)
In-Reply-To: <fde88aa9-1f4d-fb60-b27e-0da093753cdf@defensec.nl>
On Fri, Jul 24, 2020 at 9:06 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
>
>
> On 7/24/20 2:56 PM, Stephen Smalley wrote:
> > On Fri, Jul 24, 2020 at 8:29 AM Dominick Grift
> > <dominick.grift@defensec.nl> wrote:
> >>
> >>
> >>
> >> On 7/24/20 2:23 PM, Stephen Smalley wrote:
> >>> On Fri, Jul 24, 2020 at 3:54 AM Dominick Grift
> >>> <dominick.grift@defensec.nl> wrote:
> >>>>
> >>>>
> >>>>
> >>>> On 7/23/20 3:24 PM, Stephen Smalley wrote:
> > I think for this kind of complete policy changeover, you need to
> > relabel prior to rebooting.
>
> I think i tried that, but the extended attribute filesystems need to be
> re-initialized AFAIK else fixfiles just returns with "Operation not
> supported". Not sure if that strictly speaking requires a reboot or if
> you can somehow do that with mount -o remount?
>
> Is there a way to enable labeling support of extended attribute
> filesystems without rebooting?
>
> I think there was a patch recently by the Red Hat ContainerOS people to
> enable labeling from the initramfs (ie labeling when SELinux is
> disabled) How does that relate to the issue where I am seemingly not
> able to relabel the filesystem after adding a fsuse trans rule without
> rebooting? (ie SELinux is enabled, there is a fsuse xattr but the
> filesystem hasnt been re-initialized yes and setfiles reports "operation
> not supported")
So, first, fs_use_* rules should be relatively standard across SELinux
policies because they are more about the characteristics of the
filesystem driver and what it supports than about a particular policy.
The only thing policy-specific about them is the context to assign to
filesystem/superblock. I updated scripts/selinux/mdp to auto-generate
appropriate fs_use* rules for many filesystem types and I'd recommend
using those rules in any new policy. Similarly, mdp can be used as a
guide to which filesystem types should be using genfscon although
incomplete. If there was a good general way that I could test for the
properties of a filesystem type in the SELinux module code and
automatically assign FS_USE_* and/or use of genfscon, I'd do that
instead.
Second, if your policy is changing these rules and the superblock has
already been initialized, then the only way to get your new rule
applied is if you can cause the old superblock to go away, e.g.
unmount. And that won't work while it is in use. So rebooting if
your only option if you cannot do that. Rebooting with SELinux
disabled and then running setfiles will be the safest when performing
a complete policy changeover since you will then have no interference
by the old policy.
next prev parent reply other threads:[~2020-07-24 13:26 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 7:09 [SELinux-notebook PATCH] onjects.md: some clarifications Dominick Grift
2020-07-10 7:14 ` [SELinux-notebook PATCH v2] objects.md: " Dominick Grift
2020-07-13 10:45 ` Richard Haines
2020-07-15 2:15 ` Paul Moore
2020-07-15 7:56 ` Dominick Grift
2020-07-16 11:18 ` [SELinux-notebook PATCH v3] " Dominick Grift
2020-07-16 12:17 ` [SELinux-notebook PATCH v4] " Dominick Grift
2020-07-17 1:36 ` Paul Moore
2020-07-17 6:41 ` Dominick Grift
2020-07-18 6:40 ` [SELinux-notebook PATCH v5] " Dominick Grift
2020-07-19 9:44 ` [SELinux-notebook PATCH v6] " Dominick Grift
2020-07-21 17:44 ` Stephen Smalley
2020-07-21 19:51 ` [SELinux-notebook PATCH v7] " Dominick Grift
2020-07-21 20:02 ` [SELinux-notebook PATCH v8] " Dominick Grift
2020-07-21 20:14 ` Dominick Grift
2020-07-22 16:48 ` Stephen Smalley
2020-07-22 16:57 ` Dominick Grift
2020-07-22 17:32 ` Stephen Smalley
2020-07-23 8:13 ` Dominick Grift
2020-07-23 12:22 ` Stephen Smalley
2020-07-23 13:04 ` Dominick Grift
2020-07-23 13:24 ` Stephen Smalley
2020-07-23 13:37 ` Dominick Grift
2020-07-24 7:54 ` Dominick Grift
2020-07-24 12:23 ` Stephen Smalley
2020-07-24 12:29 ` Dominick Grift
2020-07-24 12:56 ` Stephen Smalley
2020-07-24 13:06 ` Dominick Grift
2020-07-24 13:26 ` Stephen Smalley [this message]
2020-07-24 13:30 ` Dominick Grift
2020-07-22 17:29 ` Dominick Grift
2020-07-22 15:11 ` Stephen Smalley
2020-07-23 7:50 ` [SELinux-notebook PATCH v9] " Dominick Grift
2020-07-23 12:00 ` Stephen Smalley
2020-07-27 13:43 ` Stephen Smalley
2020-07-28 2:17 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEjxPJ4TsTfNELBGguF7+1asKTnMdkSdNMu+R15PC=ixgeOX7Q@mail.gmail.com' \
--to=stephen.smalley.work@gmail.com \
--cc=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).