From: Jonathan Lebon <jlebon@redhat.com>
To: selinux@vger.kernel.org
Cc: Jonathan Lebon <jlebon@redhat.com>
Subject: [PATCH] selinux: allow reading labels before policy is loaded
Date: Wed, 27 May 2020 18:06:54 -0400 [thread overview]
Message-ID: <20200527220653.188794-1-jlebon@redhat.com> (raw)
This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
labeling before policy is loaded") did for `setxattr`; it allows
querying the current SELinux label on disk before the policy is loaded.
One of the motivations described in that commit message also drives this
patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
able to move the root filesystem for example, from xfs to ext4 on RAID,
on first boot, at initrd time.[1]
Because such an operation works at the filesystem level, we need to be
able to read the SELinux labels first from the original root, and apply
them to the files of the new root. The previous commit enabled the
second part of this process; this commit enables the first part.
[1] https://github.com/coreos/fedora-coreos-tracker/issues/94
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
---
security/selinux/hooks.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0b4e32161b7..a2caf6e2313 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3334,7 +3334,11 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
char *context = NULL;
struct inode_security_struct *isec;
- if (strcmp(name, XATTR_SELINUX_SUFFIX))
+ /* If we're not initialized yet, then we can't validate contexts, so
+ * just let vfs_getxattr fall back to using the on-disk xattr.
+ */
+ if (!selinux_initialized(&selinux_state) ||
+ strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
/*
--
2.25.4
next reply other threads:[~2020-05-27 22:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 22:06 Jonathan Lebon [this message]
2020-05-27 22:11 ` [PATCH] selinux: allow reading labels before policy is loaded Jonathan Lebon
2020-05-28 13:42 ` Stephen Smalley
2020-05-28 14:58 ` Jonathan Lebon
-- strict thread matches above, loose matches on Subject: below --
2020-05-23 19:51 Jonathan Lebon
2020-05-25 17:14 ` Ondrej Mosnacek
2020-05-26 19:12 ` Jonathan Lebon
2020-05-27 8:23 ` Ondrej Mosnacek
2020-05-27 13:37 ` Stephen Smalley
2020-05-26 20:20 ` Jonathan Lebon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200527220653.188794-1-jlebon@redhat.com \
--to=jlebon@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.