* SELinux labels not defined @ 2021-10-02 22:50 David Michael 2021-10-03 4:38 ` Gao Xiang 2021-10-04 3:59 ` [PATCH] Add erofs as a SELinux capable file system Gao Xiang 0 siblings, 2 replies; 9+ messages in thread From: David Michael @ 2021-10-02 22:50 UTC (permalink / raw) To: linux-erofs Hi, I tried to make an SELinux-labeled EROFS image, and the image itself seems to contain the labels from a hex dump, but the mounted files are all unlabeled: # ls -lZ xml total 8 drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig # mkfs.erofs test.img xml mkfs.erofs 1.3-g4e183568-dirty c_version: [1.3-g4e183568-dirty] c_dbg_lvl: [ 2] c_dry_run: [ 0] # mount -o X-mount.mkdir test.img test # ls -lZ test total 8 drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with the relevant config options: CONFIG_EROFS_FS=m # CONFIG_EROFS_FS_DEBUG is not set CONFIG_EROFS_FS_XATTR=y CONFIG_EROFS_FS_POSIX_ACL=y CONFIG_EROFS_FS_SECURITY=y CONFIG_EROFS_FS_ZIP=y I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and it also has the same issue. However, the earliest kernel in Fedora 33 (5.8.15-301.fc33.x86_64) has the correct labels when the image is mounted. Is there a problem in the file system driver, or do I need to do something different for newer kernels? Thanks. David ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SELinux labels not defined 2021-10-02 22:50 SELinux labels not defined David Michael @ 2021-10-03 4:38 ` Gao Xiang 2021-10-04 0:31 ` David Michael 2021-10-04 3:59 ` [PATCH] Add erofs as a SELinux capable file system Gao Xiang 1 sibling, 1 reply; 9+ messages in thread From: Gao Xiang @ 2021-10-03 4:38 UTC (permalink / raw) To: David Michael; +Cc: linux-erofs Hi David, On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > Hi, > > I tried to make an SELinux-labeled EROFS image, and the image itself > seems to contain the labels from a hex dump, but the mounted files are > all unlabeled: > > # ls -lZ xml > total 8 > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig > # mkfs.erofs test.img xml > mkfs.erofs 1.3-g4e183568-dirty > c_version: [1.3-g4e183568-dirty] > c_dbg_lvl: [ 2] > c_dry_run: [ 0] > # mount -o X-mount.mkdir test.img test > # ls -lZ test > total 8 > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > the relevant config options: > > CONFIG_EROFS_FS=m > # CONFIG_EROFS_FS_DEBUG is not set > CONFIG_EROFS_FS_XATTR=y > CONFIG_EROFS_FS_POSIX_ACL=y > CONFIG_EROFS_FS_SECURITY=y > CONFIG_EROFS_FS_ZIP=y > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > it also has the same issue. However, the earliest kernel in Fedora 33 > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > mounted. Is there a problem in the file system driver, or do I need to > do something different for newer kernels? Thanks for your report! I don't think there is any difference between 5.8 - 5.14 on EROFS selinux xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. Would you mind checking if Fedora kernels did something new for EROFS or something else on fc34? Can you check if the images work on upstream kernels? For example, in my own testing environment (upstream kernel + buildroot): # file: verity_key security.selinux="u:object_r:rootfs:s0" # uname -a Linux buildroot 5.15.0-rc3+ #14 SMP Wed Sep 29 09:57:09 CST 2021 x86_64 GNU/Linux Thanks, Gao Xiang > > Thanks. > > David ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SELinux labels not defined 2021-10-03 4:38 ` Gao Xiang @ 2021-10-04 0:31 ` David Michael 2021-10-04 1:44 ` Gao Xiang 0 siblings, 1 reply; 9+ messages in thread From: David Michael @ 2021-10-04 0:31 UTC (permalink / raw) To: linux-erofs On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <xiang@kernel.org> wrote: > Hi David, > > On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > > Hi, > > > > I tried to make an SELinux-labeled EROFS image, and the image itself > > seems to contain the labels from a hex dump, but the mounted files are > > all unlabeled: > > > > # ls -lZ xml > > total 8 > > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 > > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig > > # mkfs.erofs test.img xml > > mkfs.erofs 1.3-g4e183568-dirty > > c_version: [1.3-g4e183568-dirty] > > c_dbg_lvl: [ 2] > > c_dry_run: [ 0] > > # mount -o X-mount.mkdir test.img test > > # ls -lZ test > > total 8 > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig > > > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > > the relevant config options: > > > > CONFIG_EROFS_FS=m > > # CONFIG_EROFS_FS_DEBUG is not set > > CONFIG_EROFS_FS_XATTR=y > > CONFIG_EROFS_FS_POSIX_ACL=y > > CONFIG_EROFS_FS_SECURITY=y > > CONFIG_EROFS_FS_ZIP=y > > > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > > it also has the same issue. However, the earliest kernel in Fedora 33 > > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > > mounted. Is there a problem in the file system driver, or do I need to > > do something different for newer kernels? > > Thanks for your report! > > I don't think there is any difference between 5.8 - 5.14 on EROFS selinux > xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. > > Would you mind checking if Fedora kernels did something new for EROFS or > something else on fc34? Can you check if the images work on upstream > kernels? The labels failed in the same way on every distro I tried: Fedora, openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo (5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened). I noticed that the labels appear correctly when the system is running with SELinux disabled, but booting with it enabled results in unlabeled_t labels on erofs mounts. Thanks. David ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SELinux labels not defined 2021-10-04 0:31 ` David Michael @ 2021-10-04 1:44 ` Gao Xiang 2021-10-04 4:10 ` Gao Xiang 0 siblings, 1 reply; 9+ messages in thread From: Gao Xiang @ 2021-10-04 1:44 UTC (permalink / raw) To: David Michael; +Cc: linux-erofs On Sun, Oct 03, 2021 at 08:31:18PM -0400, David Michael wrote: > On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <xiang@kernel.org> wrote: > > Hi David, > > > > On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > > > Hi, > > > > > > I tried to make an SELinux-labeled EROFS image, and the image itself > > > seems to contain the labels from a hex dump, but the mounted files are > > > all unlabeled: > > > > > > # ls -lZ xml > > > total 8 > > > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 > > > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig > > > # mkfs.erofs test.img xml > > > mkfs.erofs 1.3-g4e183568-dirty > > > c_version: [1.3-g4e183568-dirty] > > > c_dbg_lvl: [ 2] > > > c_dry_run: [ 0] > > > # mount -o X-mount.mkdir test.img test > > > # ls -lZ test > > > total 8 > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig > > > > > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > > > the relevant config options: > > > > > > CONFIG_EROFS_FS=m > > > # CONFIG_EROFS_FS_DEBUG is not set > > > CONFIG_EROFS_FS_XATTR=y > > > CONFIG_EROFS_FS_POSIX_ACL=y > > > CONFIG_EROFS_FS_SECURITY=y > > > CONFIG_EROFS_FS_ZIP=y > > > > > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > > > it also has the same issue. However, the earliest kernel in Fedora 33 > > > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > > > mounted. Is there a problem in the file system driver, or do I need to > > > do something different for newer kernels? > > > > Thanks for your report! > > > > I don't think there is any difference between 5.8 - 5.14 on EROFS selinux > > xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. > > > > Would you mind checking if Fedora kernels did something new for EROFS or > > something else on fc34? Can you check if the images work on upstream > > kernels? > > The labels failed in the same way on every distro I tried: Fedora, > openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo > (5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened). > > I noticed that the labels appear correctly when the system is running > with SELinux disabled, but booting with it enabled results in > unlabeled_t labels on erofs mounts. May I ask what "getfattr -m security.selinux" returns for these files if the issue happens? I have no idea what's wrong with the recent versions. I'll dig info it further. But it needs some extra time. Thanks, Gao Xiang > > Thanks. > > David ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SELinux labels not defined 2021-10-04 1:44 ` Gao Xiang @ 2021-10-04 4:10 ` Gao Xiang 2021-10-09 13:31 ` David Michael 0 siblings, 1 reply; 9+ messages in thread From: Gao Xiang @ 2021-10-04 4:10 UTC (permalink / raw) To: David Michael, linux-erofs Hi, On Mon, Oct 04, 2021 at 09:44:49AM +0800, Gao Xiang wrote: > On Sun, Oct 03, 2021 at 08:31:18PM -0400, David Michael wrote: > > On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <xiang@kernel.org> wrote: > > > Hi David, > > > > > > On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > > > > Hi, > > > > > > > > I tried to make an SELinux-labeled EROFS image, and the image itself > > > > seems to contain the labels from a hex dump, but the mounted files are > > > > all unlabeled: > > > > > > > > # ls -lZ xml > > > > total 8 > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig > > > > # mkfs.erofs test.img xml > > > > mkfs.erofs 1.3-g4e183568-dirty > > > > c_version: [1.3-g4e183568-dirty] > > > > c_dbg_lvl: [ 2] > > > > c_dry_run: [ 0] > > > > # mount -o X-mount.mkdir test.img test > > > > # ls -lZ test > > > > total 8 > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig > > > > > > > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > > > > the relevant config options: > > > > > > > > CONFIG_EROFS_FS=m > > > > # CONFIG_EROFS_FS_DEBUG is not set > > > > CONFIG_EROFS_FS_XATTR=y > > > > CONFIG_EROFS_FS_POSIX_ACL=y > > > > CONFIG_EROFS_FS_SECURITY=y > > > > CONFIG_EROFS_FS_ZIP=y > > > > > > > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > > > > it also has the same issue. However, the earliest kernel in Fedora 33 > > > > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > > > > mounted. Is there a problem in the file system driver, or do I need to > > > > do something different for newer kernels? > > > > > > Thanks for your report! > > > > > > I don't think there is any difference between 5.8 - 5.14 on EROFS selinux > > > xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. > > > > > > Would you mind checking if Fedora kernels did something new for EROFS or > > > something else on fc34? Can you check if the images work on upstream > > > kernels? > > > > The labels failed in the same way on every distro I tried: Fedora, > > openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo > > (5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened). > > > > I noticed that the labels appear correctly when the system is running > > with SELinux disabled, but booting with it enabled results in > > unlabeled_t labels on erofs mounts. > > May I ask what "getfattr -m security.selinux" returns for these files if > the issue happens? > > I have no idea what's wrong with the recent versions. I'll dig info it > further. But it needs some extra time. I found SECURITY_FS_USE_XATTR was not set due to lack of proper sepolicy. I've sent out a patch to refpolicy to address this: https://lore.kernel.org/selinux-refpolicy/20211004035901.5428-1-xiang@kernel.org/ Actually Android has its own sepolicy and doesn't use refpolicy above. We updated it several years ago. But refpolicy seems not. As for why Fedora 33 works, I have no clue yet (don't have much time on digging this.) Thanks, Gao Xiang ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SELinux labels not defined 2021-10-04 4:10 ` Gao Xiang @ 2021-10-09 13:31 ` David Michael 2021-10-09 13:48 ` Gao Xiang 0 siblings, 1 reply; 9+ messages in thread From: David Michael @ 2021-10-09 13:31 UTC (permalink / raw) To: linux-erofs On Mon, Oct 4, 2021 at 12:10 AM Gao Xiang <xiang@kernel.org> wrote: > On Mon, Oct 04, 2021 at 09:44:49AM +0800, Gao Xiang wrote: > > On Sun, Oct 03, 2021 at 08:31:18PM -0400, David Michael wrote: > > > On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <xiang@kernel.org> wrote: > > > > Hi David, > > > > > > > > On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > > > > > Hi, > > > > > > > > > > I tried to make an SELinux-labeled EROFS image, and the image itself > > > > > seems to contain the labels from a hex dump, but the mounted files are > > > > > all unlabeled: > > > > > > > > > > # ls -lZ xml > > > > > total 8 > > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 > > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig > > > > > # mkfs.erofs test.img xml > > > > > mkfs.erofs 1.3-g4e183568-dirty > > > > > c_version: [1.3-g4e183568-dirty] > > > > > c_dbg_lvl: [ 2] > > > > > c_dry_run: [ 0] > > > > > # mount -o X-mount.mkdir test.img test > > > > > # ls -lZ test > > > > > total 8 > > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 > > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig > > > > > > > > > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > > > > > the relevant config options: > > > > > > > > > > CONFIG_EROFS_FS=m > > > > > # CONFIG_EROFS_FS_DEBUG is not set > > > > > CONFIG_EROFS_FS_XATTR=y > > > > > CONFIG_EROFS_FS_POSIX_ACL=y > > > > > CONFIG_EROFS_FS_SECURITY=y > > > > > CONFIG_EROFS_FS_ZIP=y > > > > > > > > > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > > > > > it also has the same issue. However, the earliest kernel in Fedora 33 > > > > > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > > > > > mounted. Is there a problem in the file system driver, or do I need to > > > > > do something different for newer kernels? > > > > > > > > Thanks for your report! > > > > > > > > I don't think there is any difference between 5.8 - 5.14 on EROFS selinux > > > > xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. > > > > > > > > Would you mind checking if Fedora kernels did something new for EROFS or > > > > something else on fc34? Can you check if the images work on upstream > > > > kernels? > > > > > > The labels failed in the same way on every distro I tried: Fedora, > > > openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo > > > (5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened). > > > > > > I noticed that the labels appear correctly when the system is running > > > with SELinux disabled, but booting with it enabled results in > > > unlabeled_t labels on erofs mounts. > > > > May I ask what "getfattr -m security.selinux" returns for these files if > > the issue happens? > > > > I have no idea what's wrong with the recent versions. I'll dig info it > > further. But it needs some extra time. > > I found SECURITY_FS_USE_XATTR was not set due to lack of proper > sepolicy. I've sent out a patch to refpolicy to address this: > https://lore.kernel.org/selinux-refpolicy/20211004035901.5428-1-xiang@kernel.org/ Sorry for the late reply, I finally got the time to build systems with this patch to test, and I can confirm this fixes the issue I was seeing. Thanks. David ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: SELinux labels not defined 2021-10-09 13:31 ` David Michael @ 2021-10-09 13:48 ` Gao Xiang 0 siblings, 0 replies; 9+ messages in thread From: Gao Xiang @ 2021-10-09 13:48 UTC (permalink / raw) To: David Michael; +Cc: linux-erofs On Sat, Oct 09, 2021 at 09:31:43AM -0400, David Michael wrote: > On Mon, Oct 4, 2021 at 12:10 AM Gao Xiang <xiang@kernel.org> wrote: > > On Mon, Oct 04, 2021 at 09:44:49AM +0800, Gao Xiang wrote: > > > On Sun, Oct 03, 2021 at 08:31:18PM -0400, David Michael wrote: > > > > On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <xiang@kernel.org> wrote: > > > > > Hi David, > > > > > > > > > > On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > > > > > > Hi, > > > > > > > > > > > > I tried to make an SELinux-labeled EROFS image, and the image itself > > > > > > seems to contain the labels from a hex dump, but the mounted files are > > > > > > all unlabeled: > > > > > > > > > > > > # ls -lZ xml > > > > > > total 8 > > > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep 29 21:43 dbus-1 > > > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig > > > > > > # mkfs.erofs test.img xml > > > > > > mkfs.erofs 1.3-g4e183568-dirty > > > > > > c_version: [1.3-g4e183568-dirty] > > > > > > c_dbg_lvl: [ 2] > > > > > > c_dry_run: [ 0] > > > > > > # mount -o X-mount.mkdir test.img test > > > > > > # ls -lZ test > > > > > > total 8 > > > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 18:37 dbus-1 > > > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 18:37 fontconfig > > > > > > > > > > > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > > > > > > the relevant config options: > > > > > > > > > > > > CONFIG_EROFS_FS=m > > > > > > # CONFIG_EROFS_FS_DEBUG is not set > > > > > > CONFIG_EROFS_FS_XATTR=y > > > > > > CONFIG_EROFS_FS_POSIX_ACL=y > > > > > > CONFIG_EROFS_FS_SECURITY=y > > > > > > CONFIG_EROFS_FS_ZIP=y > > > > > > > > > > > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > > > > > > it also has the same issue. However, the earliest kernel in Fedora 33 > > > > > > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > > > > > > mounted. Is there a problem in the file system driver, or do I need to > > > > > > do something different for newer kernels? > > > > > > > > > > Thanks for your report! > > > > > > > > > > I don't think there is any difference between 5.8 - 5.14 on EROFS selinux > > > > > xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. > > > > > > > > > > Would you mind checking if Fedora kernels did something new for EROFS or > > > > > something else on fc34? Can you check if the images work on upstream > > > > > kernels? > > > > > > > > The labels failed in the same way on every distro I tried: Fedora, > > > > openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo > > > > (5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened). > > > > > > > > I noticed that the labels appear correctly when the system is running > > > > with SELinux disabled, but booting with it enabled results in > > > > unlabeled_t labels on erofs mounts. > > > > > > May I ask what "getfattr -m security.selinux" returns for these files if > > > the issue happens? > > > > > > I have no idea what's wrong with the recent versions. I'll dig info it > > > further. But it needs some extra time. > > > > I found SECURITY_FS_USE_XATTR was not set due to lack of proper > > sepolicy. I've sent out a patch to refpolicy to address this: > > https://lore.kernel.org/selinux-refpolicy/20211004035901.5428-1-xiang@kernel.org/ > > Sorry for the late reply, I finally got the time to build systems with > this patch to test, and I can confirm this fixes the issue I was > seeing. Thanks for the confirmation! ;) (I should update it earlier...) Thanks, Gao XIang > > Thanks. > > David ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] Add erofs as a SELinux capable file system 2021-10-02 22:50 SELinux labels not defined David Michael 2021-10-03 4:38 ` Gao Xiang @ 2021-10-04 3:59 ` Gao Xiang 2021-10-05 18:50 ` Chris PeBenito via Linux-erofs 1 sibling, 1 reply; 9+ messages in thread From: Gao Xiang @ 2021-10-04 3:59 UTC (permalink / raw) To: selinux-refpolicy; +Cc: linux-erofs, David Michael EROFS supported the security xattr handler from Linux v4.19. Add erofs to the filesystem policy now. Reported-by: David Michael <fedora.dm0@gmail.com> Signed-off-by: Gao Xiang <xiang@kernel.org> --- policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 7282acba8537..8109348f70de 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -24,6 +24,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0) # Requires that a security xattr handler exist for the filesystem. fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr erofs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); -- 2.20.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] Add erofs as a SELinux capable file system 2021-10-04 3:59 ` [PATCH] Add erofs as a SELinux capable file system Gao Xiang @ 2021-10-05 18:50 ` Chris PeBenito via Linux-erofs 0 siblings, 0 replies; 9+ messages in thread From: Chris PeBenito via Linux-erofs @ 2021-10-05 18:50 UTC (permalink / raw) To: Gao Xiang, selinux-refpolicy; +Cc: linux-erofs, David Michael On 10/3/21 11:59 PM, Gao Xiang wrote: > EROFS supported the security xattr handler from Linux v4.19. > Add erofs to the filesystem policy now. > > Reported-by: David Michael <fedora.dm0@gmail.com> > Signed-off-by: Gao Xiang <xiang@kernel.org> > --- > policy/modules/kernel/filesystem.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te > index 7282acba8537..8109348f70de 100644 > --- a/policy/modules/kernel/filesystem.te > +++ b/policy/modules/kernel/filesystem.te > @@ -24,6 +24,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0) > # Requires that a security xattr handler exist for the filesystem. > fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); > fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); > +fs_use_xattr erofs gen_context(system_u:object_r:fs_t,s0); > fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); > fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); > fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); Merged. Thanks! -- Chris PeBenito ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-10-09 13:49 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-10-02 22:50 SELinux labels not defined David Michael 2021-10-03 4:38 ` Gao Xiang 2021-10-04 0:31 ` David Michael 2021-10-04 1:44 ` Gao Xiang 2021-10-04 4:10 ` Gao Xiang 2021-10-09 13:31 ` David Michael 2021-10-09 13:48 ` Gao Xiang 2021-10-04 3:59 ` [PATCH] Add erofs as a SELinux capable file system Gao Xiang 2021-10-05 18:50 ` Chris PeBenito via Linux-erofs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).