Comments (5)
setfiles -r /path/to/altroot /path/to/altroot/etc/selinux/targeted/contexts/files/file_contexts /path/to/altroot
Used in meta-selinux for OpenEmbedded.
Alternatively, Android extends make_ext4fs (system/extras/ext4_utils) to support labeling the ext4 images when they are generated initially.
from selinux.
Also, I believe Yocto added support for setting xattrs in their generated ext[34] filesystem images as well, such that the model is that meta-selinux runs setfiles -r to set the contexts on the files and then the image generation tools fetch those xattrs and set them in the generated image. I prefer the Android approach (unsurprisingly, since I wrote it originally) because it doesn't require the build host OS to deal with the security contexts at all; make_ext4fs directly looks up the correct context in file_contexts (when passed the appropriate options) and sets the xattr values in the generated image, without ever having to set a context on a file in a mounted filesystem on the build host. Aside from efficiency, this has the benefit that it avoids a potential problem when the build host OS has SELinux enabled and the contexts being set are unknown to its SELinux policy.
from selinux.
Also, just FYI, setfiles and restorecon are the same program these days, just with different command line interfaces and default behaviors selected by argv[0]. The original SELinux implementation from us only had setfiles, which was intended to be used to label filesystems even before first booting SELinux (and this was the basis for FreeBSD setfsmac(8)). Later Dan Walsh created a simpler restorecon utility for users to run on a SELinux-enabled system to restore contexts to their initial state. Over time, restorecon kept adding more functionality, overlapping significantly with setfiles, and eventually we coalesced them back into a single program. restorecon though is still only intended for use on a SELinux-enabled system, whereas setfiles is appropriate for running on SELinux-enabled or -disabled hosts.
from selinux.
I'm going to close this issue since I think it is already supported adequately via setfiles -r, but re-open or submit a new one if you encounter problems. NB If running on a SELinux-enabled build host, then some machinations may be necessary to set security contexts unknown to the build host SELinux policy on files in this way.
from selinux.
I know it's a late response, but I just wanted to thank you for the super helpful information!
from selinux.
Related Issues (20)
- semanage_get_lock fails on NFSv4 filesystems HOT 1
- Python 3.11 support HOT 4
- manual setting HOT 2
- bad gpg signature HOT 4
- checkpolicy compilation error HOT 4
- selinux_restorecon.c comparison between signed and unsigned integer expressions
- Scope of boolean 'httpd_can_network_connect' & Django SELinux permissions
- libsepol:The libsepol package detects memory leaks and segmentation errors when tested by OSS-fuzz. HOT 4
- How Do I Select a Proper Number of Threads for Labeling? HOT 2
- Can use macro parameter for filecon path statment? HOT 1
- restore.c:(.text+0x229): undefined reference to `selinux_restorecon_parallel' HOT 1
- selinux-activate not working on RaspbianOS bullseye (version 11) HOT 1
- "semanage export" does not handle port definition modifications properly
- libselinux: off-by-one in setcon() family
- Question Regarding "semanage boolean": HOT 5
- Non-cached is_selinux_enabled() variant? HOT 1
- selinux 3.6 fails to compile against latest versions of musl HOT 1
- libselinux: selabel_digest -b x/media/db error HOT 1
- libsepol: new "all" op verifier in 3.6 does not check classcommon perms HOT 3
- Should ignoredirs apply to all subdirectories? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from selinux.