Le 07/01/17 à 07:21, Russell Coker a écrit :
On Friday, 6 January 2017 2:09:13 PM AEDT Laurent Bigonville wrote:
I just retested myself and it's working with the kernel from unstable
(apparently you need >= 4.2) and the following line:
genfscon sysfs /devices/system/cpu/online
gen_context(system_u:object_r:cpu_online_t,s0)
So yes it can be solved in the policy.
I just tried it again with that line in devices.te with kernel 4.8 and it
didn't work for me. Please send me a patch of exactly what you used.
I'm using the refpolicy with this patch above it.
kernel from unstable: Linux fornost 4.8.0-2-amd64 #1 SMP Debian 4.8.11-1
(2016-12-02) x86_64 GNU/Linux
I tried to load the policy from the initramfs to be sure nothing was
calling restorecon and it still works.
>From 6866d45e5130461cca090cc9be903336ea037f7b Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bi...@bigon.be>
Date: Fri, 6 Jan 2017 14:18:24 +0100
Subject: [PATCH] Use genfscon to label /sys/devices/system/cpu/online as
cpu_online_t
Since 8e01472078763ebc1eaea089a1adab75dd982ccd, it's possible to use
genfscon for sysfs.
This patch should help to deprecate distribution specific call to
restorecon or tmpfiles to restore /sys/devices/system/cpu/online during
boot.
Thanks to Dominick for the tip.
---
policy/modules/kernel/devices.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9b1f207f..67515ad8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -66,6 +66,7 @@ dev_node(cpu_device_t)
type cpu_online_t, sysfs_types;
files_type(cpu_online_t)
dev_associate_sysfs(cpu_online_t)
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
#
# Type for /dev/crash
--
2.11.0
