| Message ID | 20200527220653.188794-1-jlebon@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | selinux: allow reading labels before policy is loaded | expand |
Apologies, this should have had the subject line:
> [PATCH v3] selinux: allow reading labels before policy is loaded
I missed passing `-v 3` to `git format-patch`.
On Wed, May 27, 2020 at 6:10 PM Jonathan Lebon <jlebon@redhat.com> wrote: > > This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow > labeling before policy is loaded") did for `setxattr`; it allows > querying the current SELinux label on disk before the policy is loaded. > > One of the motivations described in that commit message also drives this > patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be > able to move the root filesystem for example, from xfs to ext4 on RAID, > on first boot, at initrd time.[1] > > Because such an operation works at the filesystem level, we need to be > able to read the SELinux labels first from the original root, and apply > them to the files of the new root. The previous commit enabled the > second part of this process; this commit enables the first part. > > [1] https://github.com/coreos/fedora-coreos-tracker/issues/94 > > Signed-off-by: Jonathan Lebon <jlebon@redhat.com> You might want to fix the comment style below, but otherwise, Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > security/selinux/hooks.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0b4e32161b7..a2caf6e2313 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -3334,7 +3334,11 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void > char *context = NULL; > struct inode_security_struct *isec; > > - if (strcmp(name, XATTR_SELINUX_SUFFIX)) > + /* If we're not initialized yet, then we can't validate contexts, so > + * just let vfs_getxattr fall back to using the on-disk xattr. > + */ coding-style says that multi-line comment style is to use a separate line for the opening /* unless in net/ > + if (!selinux_initialized(&selinux_state) || > + strcmp(name, XATTR_SELINUX_SUFFIX)) > return -EOPNOTSUPP; > > /* > -- > 2.25.4 >
On Thu, May 28, 2020 at 9:42 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > You might want to fix the comment style below, but otherwise, > > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Fixed in v4! Thank you and Ondrej for the reviews.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0b4e32161b7..a2caf6e2313 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3334,7 +3334,11 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void char *context = NULL; struct inode_security_struct *isec; - if (strcmp(name, XATTR_SELINUX_SUFFIX)) + /* If we're not initialized yet, then we can't validate contexts, so + * just let vfs_getxattr fall back to using the on-disk xattr. + */ + if (!selinux_initialized(&selinux_state) || + strcmp(name, XATTR_SELINUX_SUFFIX)) return -EOPNOTSUPP; /*
This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow labeling before policy is loaded") did for `setxattr`; it allows querying the current SELinux label on disk before the policy is loaded. One of the motivations described in that commit message also drives this patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be able to move the root filesystem for example, from xfs to ext4 on RAID, on first boot, at initrd time.[1] Because such an operation works at the filesystem level, we need to be able to read the SELinux labels first from the original root, and apply them to the files of the new root. The previous commit enabled the second part of this process; this commit enables the first part. [1] https://github.com/coreos/fedora-coreos-tracker/issues/94 Signed-off-by: Jonathan Lebon <jlebon@redhat.com> --- security/selinux/hooks.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)