diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-26 16:24:10 -0500 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2020-08-26 16:24:10 -0500 |
| commit | d5f320566eb00901161a51fbd50b5ebbc51f47be (patch) | |
| tree | 1dd2a09d65cd30d51df364946c799074fbf7f99a /selinux_allow_reading_labels_before_policy_is_loaded.patch | |
| parent | 13d534d28a3d856676458b2aa28db46fa62d0f7d (diff) | |
| download | kernel-d5f320566eb00901161a51fbd50b5ebbc51f47be.tar.gz kernel-d5f320566eb00901161a51fbd50b5ebbc51f47be.tar.xz kernel-d5f320566eb00901161a51fbd50b5ebbc51f47be.zip | |
Linux v5.8.4 rebase
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
Diffstat (limited to 'selinux_allow_reading_labels_before_policy_is_loaded.patch')
| -rw-r--r-- | selinux_allow_reading_labels_before_policy_is_loaded.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/selinux_allow_reading_labels_before_policy_is_loaded.patch b/selinux_allow_reading_labels_before_policy_is_loaded.patch deleted file mode 100644 index 53359159e..000000000 --- a/selinux_allow_reading_labels_before_policy_is_loaded.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c8e222616c7e98305bdc861db3ccac520bc29921 Mon Sep 17 00:00:00 2001 -From: Jonathan Lebon <jlebon@redhat.com> -Date: Thu, 28 May 2020 10:39:40 -0400 -Subject: selinux: allow reading labels before policy is loaded - -This patch does for `getxattr` what commit 3e3e24b42043 ("selinux: allow -labeling before policy is loaded") did for `setxattr`; it allows -querying the current SELinux label on disk before the policy is loaded. - -One of the motivations described in that commit message also drives this -patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be -able to move the root filesystem for example, from xfs to ext4 on RAID, -on first boot, at initrd time.[1] - -Because such an operation works at the filesystem level, we need to be -able to read the SELinux labels first from the original root, and apply -them to the files of the new root. The previous commit enabled the -second part of this process; this commit enables the first part. - -[1] https://github.com/coreos/fedora-coreos-tracker/issues/94 - -Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> -Signed-off-by: Jonathan Lebon <jlebon@redhat.com> -Signed-off-by: Paul Moore <paul@paul-moore.com> ---- - security/selinux/hooks.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index efa6108b1ce9..ca901025802a 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3332,7 +3332,12 @@ static int selinux_inode_getsecurity(struct inode *inode, const char *name, void - char *context = NULL; - struct inode_security_struct *isec; - -- if (strcmp(name, XATTR_SELINUX_SUFFIX)) -+ /* -+ * If we're not initialized yet, then we can't validate contexts, so -+ * just let vfs_getxattr fall back to using the on-disk xattr. -+ */ -+ if (!selinux_initialized(&selinux_state) || -+ strcmp(name, XATTR_SELINUX_SUFFIX)) - return -EOPNOTSUPP; - - /* --- -cgit 1.2.3-1.el7 |