aa5ab7f890
* Mon Jul 13 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.8.0-0.rc5.1] - v5.8-rc5 rebase - arm64: dts: sun50i-a64-pinephone: Add touchscreen support (Ondrej Jirman) - arm64: dts: sun50i-a64-pinephone: Enable LCD support on PinePhone (Icenowy Zheng) - drm/panel: st7703: Assert reset prior to powering down the regulators (Ondrej Jirman) - drm/panel: st7703: Enter sleep after display off (Ondrej Jirman) - drm/panel: st7703: Add support for Xingbangda XBD599 (Ondrej Jirman) - drm/panel: st7703: Move generic part of init sequence to enable callback (Ondrej Jirman) - drm/panel: st7703: Move code specific to jh057n closer together (Ondrej Jirman) - drm/panel: st7703: Prepare for supporting multiple panels (Ondrej Jirman) - drm/panel: st7703: Rename functions from jh057n prefix to st7703 (Ondrej Jirman) - drm/panel: rocktech-jh057n00900: Rename the driver to st7703 (Ondrej Jirman) - dt-bindings: panel: Add compatible for Xingbangda XBD599 panel (Ondrej Jirman) - dt-bindings: panel: Convert rocktech, jh057n00900 to yaml (Ondrej Jirman) - dt-bindings: vendor-prefixes: Add Xingbangda (Icenowy Zheng) - Revert "arm64: allwinner: dts: a64: add LCD-related device nodes for PinePhone" (Peter Robinson) - Revert "drm/sun4i: sun6i_mipi_dsi: fix horizontal timing calculation" (Peter Robinson) - Revert "drm: panel: add Xingbangda XBD599 panel" (Peter Robinson) - Revert "dt-bindings: panel: add binding for Xingbangda XBD599 panel" (Peter Robinson) - selinux: allow reading labels before policy is loaded (Jonathan Lebon) - Fixes "acpi: prefer booting with ACPI over DTS" to be RHEL only (Peter Robinson) - Update config for renamed panel driver. (Peter Robinson) - Enable SERIAL_SC16IS7XX for SPI interfaces (Peter Robinson) - Updated changelog for the release based on dcde237b9b0e (Fedora Kernel Team) Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
50 lines
1.9 KiB
Diff
50 lines
1.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Lebon <jlebon@redhat.com>
|
|
Date: Thu, 28 May 2020 10:39:40 -0400
|
|
Subject: [PATCH] selinux: allow reading labels before policy is loaded
|
|
|
|
This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
|
|
labeling before policy is loaded") did for `setxattr`; it allows
|
|
querying the current SELinux label on disk before the policy is loaded.
|
|
|
|
One of the motivations described in that commit message also drives this
|
|
patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
|
|
able to move the root filesystem for example, from xfs to ext4 on RAID,
|
|
on first boot, at initrd time.[1]
|
|
|
|
Because such an operation works at the filesystem level, we need to be
|
|
able to read the SELinux labels first from the original root, and apply
|
|
them to the files of the new root. The previous commit enabled the
|
|
second part of this process; this commit enables the first part.
|
|
|
|
[1] https://github.com/coreos/fedora-coreos-tracker/issues/94
|
|
|
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
|
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
|
|
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
|
---
|
|
security/selinux/hooks.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
index efa6108b1ce9..ca901025802a 100644
|
|
--- a/security/selinux/hooks.c
|
|
+++ b/security/selinux/hooks.c
|
|
@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
|
|
char *context = NULL;
|
|
struct inode_security_struct *isec;
|
|
|
|
- if (strcmp(name, XATTR_SELINUX_SUFFIX))
|
|
+ /*
|
|
+ * If we're not initialized yet, then we can't validate contexts, so
|
|
+ * just let vfs_getxattr fall back to using the on-disk xattr.
|
|
+ */
|
|
+ if (!selinux_initialized(&selinux_state) ||
|
|
+ strcmp(name, XATTR_SELINUX_SUFFIX))
|
|
return -EOPNOTSUPP;
|
|
|
|
/*
|
|
--
|
|
2.26.2
|
|
|