50 lines
1.9 KiB
Diff
50 lines
1.9 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Jonathan Lebon <jlebon@redhat.com>
|
||
|
Date: Thu, 28 May 2020 10:39:40 -0400
|
||
|
Subject: [PATCH] selinux: allow reading labels before policy is loaded
|
||
|
|
||
|
This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
|
||
|
labeling before policy is loaded") did for `setxattr`; it allows
|
||
|
querying the current SELinux label on disk before the policy is loaded.
|
||
|
|
||
|
One of the motivations described in that commit message also drives this
|
||
|
patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
|
||
|
able to move the root filesystem for example, from xfs to ext4 on RAID,
|
||
|
on first boot, at initrd time.[1]
|
||
|
|
||
|
Because such an operation works at the filesystem level, we need to be
|
||
|
able to read the SELinux labels first from the original root, and apply
|
||
|
them to the files of the new root. The previous commit enabled the
|
||
|
second part of this process; this commit enables the first part.
|
||
|
|
||
|
[1] https://github.com/coreos/fedora-coreos-tracker/issues/94
|
||
|
|
||
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||
|
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
|
||
|
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
||
|
---
|
||
|
security/selinux/hooks.c | 7 ++++++-
|
||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||
|
index efa6108b1ce9..ca901025802a 100644
|
||
|
--- a/security/selinux/hooks.c
|
||
|
+++ b/security/selinux/hooks.c
|
||
|
@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
|
||
|
char *context = NULL;
|
||
|
struct inode_security_struct *isec;
|
||
|
|
||
|
- if (strcmp(name, XATTR_SELINUX_SUFFIX))
|
||
|
+ /*
|
||
|
+ * If we're not initialized yet, then we can't validate contexts, so
|
||
|
+ * just let vfs_getxattr fall back to using the on-disk xattr.
|
||
|
+ */
|
||
|
+ if (!selinux_initialized(&selinux_state) ||
|
||
|
+ strcmp(name, XATTR_SELINUX_SUFFIX))
|
||
|
return -EOPNOTSUPP;
|
||
|
|
||
|
/*
|
||
|
--
|
||
|
2.26.2
|
||
|
|