diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2021-01-13 15:38:02 +0300 | 
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2021-01-13 16:55:11 +0300 | 
| commit | 08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d (patch) | |
| tree | 1e0d11c7f86f913c0208c3d50ddb1ebd540fb016 /lib/mpi/mpicoder.c | |
| parent | e0de8a9aebd01589c0246facf1eb533dd1b7a506 (diff) | |
| download | linux-08abe46b2cfcf5f815cd4961b1bf9e10b1714c6d.tar.xz | |
selinux: fall back to SECURITY_FS_USE_GENFS if no xattr support
When a superblock is assigned the SECURITY_FS_USE_XATTR behavior by the
policy yet it lacks xattr support, try to fall back to genfs rather than
rejecting the mount. If a genfscon rule is found for the filesystem,
then change the behavior to SECURITY_FS_USE_GENFS, otherwise reject the
mount as before. A similar fallback is already done in security_fs_use()
if no behavior specification is found for the given filesystem.
This is needed e.g. for virtiofs, which may or may not support xattrs
depending on the backing host filesystem.
Example:
    # seinfo --genfs | grep ' ramfs'
       genfscon ramfs /  system_u:object_r:ramfs_t:s0
    # echo '(fsuse xattr ramfs (system_u object_r fs_t ((s0) (s0))))' >ramfs_xattr.cil
    # semodule -i ramfs_xattr.cil
    # mount -t ramfs none /mnt
Before:
    mount: /mnt: mount(2) system call failed: Operation not supported.
After:
    (mount succeeds)
    # ls -Zd /mnt
    system_u:object_r:ramfs_t:s0 /mnt
See also:
https://lore.kernel.org/selinux/20210105142148.GA3200@redhat.com/T/
https://github.com/fedora-selinux/selinux-policy/pull/478
Cc: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'lib/mpi/mpicoder.c')
0 files changed, 0 insertions, 0 deletions
