diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2021-01-13 13:38:02 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2021-01-13 08:55:11 -0500 |
| commit | 08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d (patch) | |
| tree | 1e0d11c7f86f913c0208c3d50ddb1ebd540fb016 /include | |
| parent | e0de8a9aebd01589c0246facf1eb533dd1b7a506 (diff) | |
| download | linux-stable-08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d.tar.gz linux-stable-08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d.tar.bz2 linux-stable-08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d.zip | |
selinux: fall back to SECURITY_FS_USE_GENFS if no xattr support
When a superblock is assigned the SECURITY_FS_USE_XATTR behavior by the
policy yet it lacks xattr support, try to fall back to genfs rather than
rejecting the mount. If a genfscon rule is found for the filesystem,
then change the behavior to SECURITY_FS_USE_GENFS, otherwise reject the
mount as before. A similar fallback is already done in security_fs_use()
if no behavior specification is found for the given filesystem.
This is needed e.g. for virtiofs, which may or may not support xattrs
depending on the backing host filesystem.
Example:
# seinfo --genfs | grep ' ramfs'
genfscon ramfs / system_u:object_r:ramfs_t:s0
# echo '(fsuse xattr ramfs (system_u object_r fs_t ((s0) (s0))))' >ramfs_xattr.cil
# semodule -i ramfs_xattr.cil
# mount -t ramfs none /mnt
Before:
mount: /mnt: mount(2) system call failed: Operation not supported.
After:
(mount succeeds)
# ls -Zd /mnt
system_u:object_r:ramfs_t:s0 /mnt
See also:
https://lore.kernel.org/selinux/20210105142148.GA3200@redhat.com/T/
https://github.com/fedora-selinux/selinux-policy/pull/478
Cc: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions