[PATCH v4] selinux: allow reading labels before policy is loaded

[PATCH v4] selinux: allow reading labels before policy is loaded

[Jonathan Lebon]

This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
labeling before policy is loaded") did for `setxattr`; it allows
querying the current SELinux label on disk before the policy is loaded.

One of the motivations described in that commit message also drives this
patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
able to move the root filesystem for example, from xfs to ext4 on RAID,
on first boot, at initrd time.[1]

Because such an operation works at the filesystem level, we need to be
able to read the SELinux labels first from the original root, and apply
them to the files of the new root. The previous commit enabled the
second part of this process; this commit enables the first part.

[1] https://github.com/coreos/fedora-coreos-tracker/issues/94

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
---
 security/selinux/hooks.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0b4e32161b7..25b3403711d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3334,7 +3334,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
 	char *context = NULL;
 	struct inode_security_struct *isec;
 
-	if (strcmp(name, XATTR_SELINUX_SUFFIX))
+	/*
+	 * If we're not initialized yet, then we can't validate contexts, so
+	 * just let vfs_getxattr fall back to using the on-disk xattr.
+	 */
+	if (!selinux_initialized(&selinux_state) ||
+	    strcmp(name, XATTR_SELINUX_SUFFIX))
 		return -EOPNOTSUPP;
 
 	/*
-- 
2.25.4

Re: [PATCH v4] selinux: allow reading labels before policy is loaded

[Paul Moore]

On Thu, May 28, 2020 at 10:49 AM Jonathan Lebon <jlebon@redhat.com> wrote:
>
> This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
> labeling before policy is loaded") did for `setxattr`; it allows
> querying the current SELinux label on disk before the policy is loaded.
>
> One of the motivations described in that commit message also drives this
> patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
> able to move the root filesystem for example, from xfs to ext4 on RAID,
> on first boot, at initrd time.[1]
>
> Because such an operation works at the filesystem level, we need to be
> able to read the SELinux labels first from the original root, and apply
> them to the files of the new root. The previous commit enabled the
> second part of this process; this commit enables the first part.
>
> [1] https://github.com/coreos/fedora-coreos-tracker/issues/94
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
> ---
>  security/selinux/hooks.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)

Thanks.  This looks reasonable to me, but since it was posted only a
few days before the merge window was opened it needs to wait until
after the merge window closes.  I'll merge it into selinux/next then.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0b4e32161b7..25b3403711d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3334,7 +3334,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void
>         char *context = NULL;
>         struct inode_security_struct *isec;
>
> -       if (strcmp(name, XATTR_SELINUX_SUFFIX))
> +       /*
> +        * If we're not initialized yet, then we can't validate contexts, so
> +        * just let vfs_getxattr fall back to using the on-disk xattr.
> +        */
> +       if (!selinux_initialized(&selinux_state) ||
> +           strcmp(name, XATTR_SELINUX_SUFFIX))
>                 return -EOPNOTSUPP;
>
>         /*
> --
> 2.25.4

-- 
paul moore
www.paul-moore.com

Re: [PATCH v4] selinux: allow reading labels before policy is loaded

[Paul Moore]

On Mon, Jun 1, 2020 at 2:24 PM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, May 28, 2020 at 10:49 AM Jonathan Lebon <jlebon@redhat.com> wrote:
> >
> > This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow
> > labeling before policy is loaded") did for `setxattr`; it allows
> > querying the current SELinux label on disk before the policy is loaded.
> >
> > One of the motivations described in that commit message also drives this
> > patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
> > able to move the root filesystem for example, from xfs to ext4 on RAID,
> > on first boot, at initrd time.[1]
> >
> > Because such an operation works at the filesystem level, we need to be
> > able to read the SELinux labels first from the original root, and apply
> > them to the files of the new root. The previous commit enabled the
> > second part of this process; this commit enables the first part.
> >
> > [1] https://github.com/coreos/fedora-coreos-tracker/issues/94
> >
> > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
> > ---
> >  security/selinux/hooks.c | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
>
> Thanks.  This looks reasonable to me, but since it was posted only a
> few days before the merge window was opened it needs to wait until
> after the merge window closes.  I'll merge it into selinux/next then.

I just merged this into selinux/next - thanks!

-- 
paul moore
www.paul-moore.com