diff options
| author |   Ondrej Mosnacek <omosnace@redhat.com> | 2021-01-13 13:38:02 +0100 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2021-01-13 08:55:11 -0500 |
| commit | 08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d (patch) | |
| tree | 1e0d11c7f86f913c0208c3d50ddb1ebd540fb016 /security/security.c | |
| parent | selinux: mark selinux_xfrm_refcount as __read_mostly (diff) | |
| download | linux-dev-08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d.tar.xz linux-dev-08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d.zip | |
selinux: fall back to SECURITY_FS_USE_GENFS if no xattr support
When a superblock is assigned the SECURITY_FS_USE_XATTR behavior by the
policy yet it lacks xattr support, try to fall back to genfs rather than
rejecting the mount. If a genfscon rule is found for the filesystem,
then change the behavior to SECURITY_FS_USE_GENFS, otherwise reject the
mount as before. A similar fallback is already done in security_fs_use()
if no behavior specification is found for the given filesystem.
This is needed e.g. for virtiofs, which may or may not support xattrs
depending on the backing host filesystem.
Example:
# seinfo --genfs | grep ' ramfs'
genfscon ramfs / system_u:object_r:ramfs_t:s0
# echo '(fsuse xattr ramfs (system_u object_r fs_t ((s0) (s0))))' >ramfs_xattr.cil
# semodule -i ramfs_xattr.cil
# mount -t ramfs none /mnt
Before:
mount: /mnt: mount(2) system call failed: Operation not supported.
After:
(mount succeeds)
# ls -Zd /mnt
system_u:object_r:ramfs_t:s0 /mnt
See also:
https://lore.kernel.org/selinux/20210105142148.GA3200@redhat.com/T/
https://github.com/fedora-selinux/selinux-policy/pull/478
Cc: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/security.c')
0 files changed, 0 insertions, 0 deletions