diff options
| author | Peter Robinson <pbrobinson@gmail.com> | 2020-07-12 12:34:19 +0100 |
|---|---|---|
| committer | Peter Robinson <pbrobinson@gmail.com> | 2020-07-12 12:34:19 +0100 |
| commit | 5d1df62b2097376120abead16e9f8ec8084932b8 (patch) | |
| tree | 84b8c7a3ed453a1a92f59f9531c1d690a2480eb9 | |
| parent | 54e45590c4d7877dc2c658bc110e461a8999afcc (diff) | |
| download | kernel-5d1df62b2097376120abead16e9f8ec8084932b8.tar.gz kernel-5d1df62b2097376120abead16e9f8ec8084932b8.tar.xz kernel-5d1df62b2097376120abead16e9f8ec8084932b8.zip | |
selinux: allow reading labels before policy is loaded (rhbz 1845210)
| -rw-r--r-- | kernel.spec | 6 | ||||
| -rw-r--r-- | selinux_allow_reading_labels_before_policy_is_loaded.patch | 48 |
2 files changed, 54 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index ab94a9c92..3a7f38c86 100644 --- a/kernel.spec +++ b/kernel.spec @@ -848,6 +848,9 @@ Patch105: 0001-virt-vbox-Log-unknown-ioctl-requests-as-error.patch # Thinkpad dual fan control Patch107: 0001-platform-x86-thinkpad_acpi-Add-support-for-dual-fan-.patch +# https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?h=next&id=c8e222616c7e98305bdc861db3ccac520bc29921 +Patch108: selinux_allow_reading_labels_before_policy_is_loaded.patch + # Latest upstream screen driver - https://patchwork.kernel.org/patch/11627069/ Patch110: 0001-dt-bindings-vendor-prefixes-Add-Xingbangda.patch Patch111: 0002-dt-bindings-panel-Convert-rocktech-jh057n00900-to-ya.patch @@ -2896,6 +2899,9 @@ fi # # %changelog +* Sun Jul 12 2020 Peter Robinson <pbrobinson@fedoraproject.org> +- selinux: allow reading labels before policy is loaded (rhbz 1845210) + * Thu Jul 09 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.7.8-100 - Linux v5.7.8 - Fixes (rhbz 1852944 1852942 1852963 1852962) diff --git a/selinux_allow_reading_labels_before_policy_is_loaded.patch b/selinux_allow_reading_labels_before_policy_is_loaded.patch new file mode 100644 index 000000000..53359159e --- /dev/null +++ b/selinux_allow_reading_labels_before_policy_is_loaded.patch @@ -0,0 +1,48 @@ +From c8e222616c7e98305bdc861db3ccac520bc29921 Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon <jlebon@redhat.com> +Date: Thu, 28 May 2020 10:39:40 -0400 +Subject: selinux: allow reading labels before policy is loaded + +This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow +labeling before policy is loaded") did for `setxattr`; it allows +querying the current SELinux label on disk before the policy is loaded. + +One of the motivations described in that commit message also drives this +patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be +able to move the root filesystem for example, from xfs to ext4 on RAID, +on first boot, at initrd time.[1] + +Because such an operation works at the filesystem level, we need to be +able to read the SELinux labels first from the original root, and apply +them to the files of the new root. The previous commit enabled the +second part of this process; this commit enables the first part. + +[1] https://github.com/coreos/fedora-coreos-tracker/issues/94 + +Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> +Signed-off-by: Jonathan Lebon <jlebon@redhat.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + security/selinux/hooks.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index efa6108b1ce9..ca901025802a 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void + char *context = NULL; + struct inode_security_struct *isec; + +- if (strcmp(name, XATTR_SELINUX_SUFFIX)) ++ /* ++ * If we're not initialized yet, then we can't validate contexts, so ++ * just let vfs_getxattr fall back to using the on-disk xattr. ++ */ ++ if (!selinux_initialized(&selinux_state) || ++ strcmp(name, XATTR_SELINUX_SUFFIX)) + return -EOPNOTSUPP; + + /* +-- +cgit 1.2.3-1.el7 |