diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-13 12:44:32 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-13 12:44:32 -0500 |
commit | f7a3bf654752fa0e92c7ab3e57e48d3415632852 (patch) | |
tree | 499e2cc107f4bff8b98bd676b494d51ae89dcb4a /0001-selinux-allow-reading-labels-before-policy-is-loaded.patch | |
parent | 142d1dbc8748e066ce794a391416b045d570be71 (diff) | |
download | kernel-f7a3bf654752fa0e92c7ab3e57e48d3415632852.tar.gz kernel-f7a3bf654752fa0e92c7ab3e57e48d3415632852.tar.xz kernel-f7a3bf654752fa0e92c7ab3e57e48d3415632852.zip |
kernel-5.9.0-0.rc0.20200813gitdc06fe51d26e.1
* Thu Aug 13 2020 Fedora Kernel Team <kernel-team@fedoraproject.org> [5.9.0-0.rc0.20200813gitdc06fe51d26e.1]
- dc06fe51d26e rebase
- More mismatches ("Justin M. Forbes")
- Fedora config change due to deps ("Justin M. Forbes")
- CONFIG_SND_SOC_MAX98390 is now selected by SND_SOC_INTEL_DA7219_MAX98357A_GENERIC ("Justin M. Forbes")
- Config change required for build part 2 ("Justin M. Forbes")
- Config change required for build ("Justin M. Forbes")
- Fedora config update ("Justin M. Forbes")
- Revert "Merge branch 'make_configs_fix' into 'os-build'" (Justin Forbes)
- redhat/configs/process_configs.sh: Remove *.config.orig files (Prarit Bhargava)
- redhat/configs/process_configs.sh: Add process_configs_known_broken flag (Prarit Bhargava)
- redhat/Makefile: Fix '*-configs' targets (Prarit Bhargava)
- Updated changelog for the release based on v5.8 (Fedora Kernel Team)
- Add ability to sync upstream through Makefile (Don Zickus)
- Add master merge check (Don Zickus)
- Replace hardcoded values 'os-build' and project id with variables (Don Zickus)
- gitattributes: Remove unnecesary export restrictions (Prarit Bhargava)
- redhat/Makefile.common: Fix MARKER (Prarit Bhargava)
Resolves: rhbz#
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to '0001-selinux-allow-reading-labels-before-policy-is-loaded.patch')
-rw-r--r-- | 0001-selinux-allow-reading-labels-before-policy-is-loaded.patch | 49 |
1 files changed, 0 insertions, 49 deletions
diff --git a/0001-selinux-allow-reading-labels-before-policy-is-loaded.patch b/0001-selinux-allow-reading-labels-before-policy-is-loaded.patch deleted file mode 100644 index 5c2384cd6..000000000 --- a/0001-selinux-allow-reading-labels-before-policy-is-loaded.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jonathan Lebon <jlebon@redhat.com> -Date: Thu, 28 May 2020 10:39:40 -0400 -Subject: [PATCH] selinux: allow reading labels before policy is loaded - -This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow -labeling before policy is loaded") did for `setxattr`; it allows -querying the current SELinux label on disk before the policy is loaded. - -One of the motivations described in that commit message also drives this -patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be -able to move the root filesystem for example, from xfs to ext4 on RAID, -on first boot, at initrd time.[1] - -Because such an operation works at the filesystem level, we need to be -able to read the SELinux labels first from the original root, and apply -them to the files of the new root. The previous commit enabled the -second part of this process; this commit enables the first part. - -[1] https://github.com/coreos/fedora-coreos-tracker/issues/94 - -Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> -Signed-off-by: Jonathan Lebon <jlebon@redhat.com> -Signed-off-by: Paul Moore <paul@paul-moore.com> ---- - security/selinux/hooks.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index efa6108b1ce9..ca901025802a 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void - char *context = NULL; - struct inode_security_struct *isec; - -- if (strcmp(name, XATTR_SELINUX_SUFFIX)) -+ /* -+ * If we're not initialized yet, then we can't validate contexts, so -+ * just let vfs_getxattr fall back to using the on-disk xattr. -+ */ -+ if (!selinux_initialized(&selinux_state) || -+ strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; - - /* --- -2.26.2 - |