diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2020-07-13 19:13:24 +0200 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2020-07-13 19:13:24 +0200 |
commit | fda836ec43c28561c5521309060648d2e67239e8 (patch) | |
tree | da0abeb4b963206fc5154a7d98e299906f17608e /0001-selinux-allow-reading-labels-before-policy-is-loaded.patch | |
parent | e35e769d8cb3726d2e5a009d4223037ba45a5157 (diff) | |
parent | aa5ab7f890a036ab6802c7a0c8cf8459a324e3c2 (diff) | |
download | kernel-fda836ec43c28561c5521309060648d2e67239e8.tar.gz kernel-fda836ec43c28561c5521309060648d2e67239e8.tar.xz kernel-fda836ec43c28561c5521309060648d2e67239e8.zip |
Merge remote-tracking branch 'origin/master' into rawhide-user-thl-vanilla-fedorakernel-5.8.0-0.rc5.1.vanilla.1.fc33kernel-5.8.0-0.rc5.1.vanilla.1.fc32kernel-5.8.0-0.rc5.1.vanilla.1.fc31
Diffstat (limited to '0001-selinux-allow-reading-labels-before-policy-is-loaded.patch')
-rw-r--r-- | 0001-selinux-allow-reading-labels-before-policy-is-loaded.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/0001-selinux-allow-reading-labels-before-policy-is-loaded.patch b/0001-selinux-allow-reading-labels-before-policy-is-loaded.patch new file mode 100644 index 000000000..5c2384cd6 --- /dev/null +++ b/0001-selinux-allow-reading-labels-before-policy-is-loaded.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon <jlebon@redhat.com> +Date: Thu, 28 May 2020 10:39:40 -0400 +Subject: [PATCH] selinux: allow reading labels before policy is loaded + +This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow +labeling before policy is loaded") did for `setxattr`; it allows +querying the current SELinux label on disk before the policy is loaded. + +One of the motivations described in that commit message also drives this +patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be +able to move the root filesystem for example, from xfs to ext4 on RAID, +on first boot, at initrd time.[1] + +Because such an operation works at the filesystem level, we need to be +able to read the SELinux labels first from the original root, and apply +them to the files of the new root. The previous commit enabled the +second part of this process; this commit enables the first part. + +[1] https://github.com/coreos/fedora-coreos-tracker/issues/94 + +Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> +Signed-off-by: Jonathan Lebon <jlebon@redhat.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + security/selinux/hooks.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index efa6108b1ce9..ca901025802a 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void + char *context = NULL; + struct inode_security_struct *isec; + +- if (strcmp(name, XATTR_SELINUX_SUFFIX)) ++ /* ++ * If we're not initialized yet, then we can't validate contexts, so ++ * just let vfs_getxattr fall back to using the on-disk xattr. ++ */ ++ if (!selinux_initialized(&selinux_state) || ++ strcmp(name, XATTR_SELINUX_SUFFIX)) + return -EOPNOTSUPP; + + /* +-- +2.26.2 + |