/data used as two filesystem mountpoint，then seandroid how to lable file secontext?

/data used as two filesystem mountpoint，then seandroid how to lable file secontext?

[ge]

[-- Attachment #1: Type: text/plain, Size: 1372 bytes --]

hi，everyone.

I meet with a problem(seandroid 4.4)：As we know,/data was mounted 
as ext4 partition in original version. Additional I mount /data as a 
psuedo filesystme. 


the sepolicy of  external/sepolicy/fs_use is changed as follow:
...
fs_use_xattr ext4 u:object_r:labeledfs:s0;
...
fs_use_trans psuedosystem u:object_r:psuedosystem :s0


I found that after power on mobile phone,every app is running ok,and  
secontext of files in /data(psuedo filesystem layer) is 
"u:object_r: psuedosystem :s0" , and  secontext of files
 in /data(ext4 layer) is correct with sepolicy,such as
 "u:object_r:app_data_file:s0".


but when I install a new app,the secontext of app's dirs and files in ext4 
partition is inherited from app installed dir /data/data,sosecontext is
 "u:object_r:system_data_file:s0",the right should be "u:object_r:app_data_file:s0".


I think this problem maybe caused by :when mount /data on psuedo filesystem,the
/data represent ext4 filesystem is hide.So set selinux xattr,kernel only can operate 
psuedo filesystem file.


could someone tell me when install a new package ,how seandroid label package dir 
and files with external/sepolicy/fs_use above? If seandroid call systemcall "setxattr" to set
selinux context, i will modify the psuedo file system not operate psuedo filesystem file 
but lower ext4 file in /data.


thanks for your help.

[-- Attachment #2: Type: text/html, Size: 7864 bytes --]

Re: /data used as two filesystem mountpoint，then seandroid how to lable file secontext?

[William Roberts]

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

Context option on mount can be used...or via genfscon statements if
applicable
On Apr 12, 2014 7:53 PM, "ge" <geshifei@126.com> wrote:

> hi，everyone.
> I meet with a problem(seandroid 4.4)：As we know,/data was mounted
> as ext4 partition in original version. Additional I mount /data as a
> psuedo filesystme.
>
> the sepolicy of  external/sepolicy/fs_use is changed as follow:
> ...
> *fs_use_xattr ext4 u:object_r:labeledfs:s0;*
> ...
> *fs_use_trans psuedosystem u:object_r:* *psuedosystem* *:s0*
>
> I found that after power on mobile phone,every app is running ok,and
> secontext of files in /data(psuedo filesystem layer) is
> "*u:object_r:* *psuedosystem* *:s0*" , and  secontext of files
>  in /data(ext4 layer) is correct with sepolicy,such as
>  "u:object_r:app_data_file:s0".
>
> but when I install a new app,the secontext of app's dirs and files in
> ext4
> partition is inherited from app installed dir /data/data,sosecontext is
>  "u:object_r:system_data_file:s0",the right should be
> "u:object_r:app_data_file:s0".
>
> I think this problem maybe caused by :when mount /data on psuedo
> filesystem,the
> /data represent ext4 filesystem is hide.So set selinux xattr,kernel only
> can operate
> psuedo filesystem file.
>
> could someone tell me when install a new package ,how seandroid label
> package dir
> and files with external/sepolicy/fs_use above? If seandroid call
> systemcall "setxattr" to set
> selinux context, i will modify the psuedo file system not operate psuedo
> filesystem file
> but lower ext4 file in /data.
>
> thanks for your help.
>
>
>

[-- Attachment #2: Type: text/html, Size: 7699 bytes --]

Re: /data used as two filesystem mountpoint，then seandroid how to lable file secontext?

[Stephen Smalley]

On 04/12/2014 10:47 PM, ge wrote:
> hi，everyone.
> I meet with a problem(seandroid 4.4)：As we know,/data was mounted 
> as ext4 partition in original version. Additional I mount /data as a 
> psuedo filesystme. 
> 
> the sepolicy of  external/sepolicy/fs_use is changed as follow:
> ...
> *fs_use_xattr ext4 u:object_r:labeledfs:s0;*
> ...
> *fs_use_trans psuedosystem u:object_r:* *psuedosystem* *:s0*
> *
> *
> I found that after power on mobile phone,every app is running ok,and  
> secontext of files in /data(psuedo filesystem layer) is 
> "*u:object_r:* *psuedosystem* *:s0*" , and  secontext of files
>  in /data(ext4 layer) is correct with sepolicy,such as
>  "u:object_r:app_data_file:s0".
> 
> but when I install a new app,the secontext of app's dirs and files in ext4 
> partition is inherited from app installed dir /data/data,sosecontext is
>  "u:object_r:system_data_file:s0",the right should
> be "u:object_r:app_data_file:s0".
> 
> I think this problem maybe caused by :when mount /data on psuedo
> filesystem,the
> /data represent ext4 filesystem is hide.So set selinux xattr,kernel only
> can operate 
> psuedo filesystem file.
> 
> could someone tell me when install a new package ,how seandroid label
> package dir 
> and files with external/sepolicy/fs_use above? If seandroid call
> systemcall "setxattr" to set
> selinux context, i will modify the psuedo file system not operate psuedo
> filesystem file 
> but lower ext4 file in /data.
> 
> thanks for your help.

seandroid-list would be a better place to ask this question.  However, I
think we need more information - it sounds like you are using some kind
of unionfs / union mount mechanism to overlay two mounts on /data, but
you didn't identify what you are using or what kernel you are using, so
it is difficult to answer any questions about how your specific union
mechanism may operate wrt xattrs.  If the pseudo filesystem is the top
layer, then yes, you will likely encounter problems with files in the
lower layer not being labeled properly.