| Message ID | 20200820170040.64664-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | selinux: permit removing security.selinux xattr before policy load | expand |
On Thu, Aug 20, 2020 at 1:00 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > Currently SELinux denies attempts to remove the security.selinux xattr > always, even when permissive or no policy is loaded. This was originally > motivated by the view that all files should be labeled, even if that label > is unlabeled_t, and we shouldn't permit files that were once labeled to > have their labels removed entirely. This however prevents removing > SELinux xattrs in the case where one "disables" SELinux by not loading > a policy (e.g. a system where runtime disable is removed and selinux=0 > was not specified). Allow removing the xattr before SELinux is > initialized. We could conceivably permit it even after initialization > if permissive, or introduce a separate permission check here. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > security/selinux/hooks.c | 3 +++ > 1 file changed, 3 insertions(+) I'm in no rush to allow removing labels/xattrs if a policy is loaded, but it does make sense if one isn't loaded, especially when one considers the desire to get rid of the runtime disable. Merged into selinux/next, thanks.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ca901025802a..89d3753b7bd5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3271,6 +3271,9 @@ static int selinux_inode_removexattr(struct dentry *dentry, const char *name) return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); } + if (!selinux_initialized(&selinux_state)) + return 0; + /* No one is allowed to remove a SELinux security label. You can change the label, but all data must be labeled. */ return -EACCES;
Currently SELinux denies attempts to remove the security.selinux xattr always, even when permissive or no policy is loaded. This was originally motivated by the view that all files should be labeled, even if that label is unlabeled_t, and we shouldn't permit files that were once labeled to have their labels removed entirely. This however prevents removing SELinux xattrs in the case where one "disables" SELinux by not loading a policy (e.g. a system where runtime disable is removed and selinux=0 was not specified). Allow removing the xattr before SELinux is initialized. We could conceivably permit it even after initialization if permissive, or introduce a separate permission check here. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- security/selinux/hooks.c | 3 +++ 1 file changed, 3 insertions(+)