Received: by 10.223.185.116 with SMTP id b49csp1107771wrg; Fri, 16 Feb 2018 12:36:26 -0800 (PST) X-Google-Smtp-Source: AH8x2262VsZ9uOSUg50i7M4HrSoRW24qmEXy6PPRh7eu7PUg0Dj5SFBX3hBlVSJEqnig/aOWLA3D X-Received: by 2002:a17:902:b707:: with SMTP id d7-v6mr7062042pls.119.1518813386067; Fri, 16 Feb 2018 12:36:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518813386; cv=none; d=google.com; s=arc-20160816; b=lrTnxSiIHrinteDxuDqMOTU3D2yvf/DhFVkaIfLN48QCPyo+y0zqoR7U0YHKjsIGbH xswcSCAQF5ugpzspvvPgmC4Gts99O/yDzZ2qNJuqQFoDOrl+WOXziugEjEUxdF9kYZmg DjHOJaEtc1PjeHdIYd5l1It1m1QYiVwiO4XVqBxweXYNnNeqqLOJLrlqMJxwGk3emzG4 4b6AzO4N0fPKBV3G6xa9UIB4ERT+68itgJeZ/kKE0tme8prn1m/CfvX5V7KatJwZhxao z5v51Oriy4g+BH6F9rMxx3WSz/mJqs/2WMW0jp6Fr6tUxUq73qTAzhiefOMDqnx9TpU3 oWKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=bMDHejotnIJAIN+Gl2dmRyy6XAnlh4dSuvALBKEW+fc=; b=HNZz/c5jtvGrLBR3qPDI10HdMdtfskdSyF75afEdV/hFa7vmQQLkepEGMN9qUJLeuT tWDK1GVAqjpVzURM24EykD3MVL7EjgrQO44huQvVHdb9SOSH99iYm1yG6rIsNz7T/SMI Ts28e/3aUQwewBYP9rfpWGLJdgTzWuwlKti3aygPFmGRWVzS6f9i2eWLhnN/8JTjkmNT k4j0aOFoBj0DrpAzkjTx+XCWblrbw0kfjD5jOD1rjnj+MmiA4yXEqBBZzWjiSeDvtB+t 6B3MnY8N5IXQGKBeEp9d6Wpt6v3nYidYth24fWWppEKER+W4iJGcWvCLhT/sLQwL7Osm BNaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=CsdtmUii; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l26si2061004pfj.401.2018.02.16.12.36.11; Fri, 16 Feb 2018 12:36:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=CsdtmUii; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751174AbeBPUeR (ORCPT + 99 others); Fri, 16 Feb 2018 15:34:17 -0500 Received: from alln-iport-8.cisco.com ([173.37.142.95]:45361 "EHLO alln-iport-8.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751010AbeBPUeI (ORCPT ); Fri, 16 Feb 2018 15:34:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1404; q=dns/txt; s=iport; t=1518813248; x=1520022848; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=GVG8yZSIqBpAYoYeLbJ4sv4eV9fL21UfOz/cszDkk3s=; b=CsdtmUiirgjFlvragdFDEOwebxyjKKCLwg5WWLYPNlgWoLjWxNLUGB+g XyHN6zbSwCegbYj7pLRqU/pW9mcLU6PUS278EwN3JtLkNPf8ds+45Sazu j6EbJPFnaaHEu9RwIFPzjt07aJOsYsKLUa1rLkw7y986uK+Ax1jBFsHdb w=; X-IronPort-AV: E=Sophos;i="5.46,520,1511827200"; d="scan'208";a="71384351" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2018 20:34:07 +0000 Received: from sjc-ads-7132.cisco.com (sjc-ads-7132.cisco.com [10.30.217.207]) (authenticated bits=0) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w1GKXsMe015412 (version=TLSv1/SSLv3 cipher=AES128-SHA256 bits=128 verify=NO); Fri, 16 Feb 2018 20:34:07 GMT From: Taras Kondratiuk To: "H. Peter Anvin" , Al Viro , Arnd Bergmann , Rob Landley , Mimi Zohar , Jonathan Corbet , James McMechan Cc: initramfs@vger.kernel.org, Victor Kamensky , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, xe-linux-external@cisco.com Subject: [PATCH v3 13/14] selinux: allow setxattr on rootfs so initramfs code can set them Date: Fri, 16 Feb 2018 20:33:51 +0000 Message-Id: <1518813234-5874-16-git-send-email-takondra@cisco.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1518813234-5874-1-git-send-email-takondra@cisco.com> References: <1518813234-5874-1-git-send-email-takondra@cisco.com> X-Auto-Response-Suppress: DR, OOF, AutoReply X-Authenticated-User: takondra@cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Victor Kamensky initramfs code supporting extended cpio format have ability to fill extended attributes from cpio archive, but if SELinux enabled and security server is not initialized yet, selinux callback would refuse setxattr made by initramfs code. Solution enable SBLABEL_MNT on rootfs even if secrurity server is not initialized yet. Signed-off-by: Victor Kamensky --- security/selinux/hooks.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8644d864e3c1..f3fe65589f02 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -706,6 +706,18 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!ss_initialized) { if (!num_opts) { + /* + * Special handling for rootfs. Is genfs but supports + * setting SELinux context on in-core inodes. + * + * Chicken and egg problem: policy may reside in rootfs + * but for initramfs code to fill in attributes, it + * needs selinux to allow that. + */ + if (!strncmp(sb->s_type->name, "rootfs", + sizeof("rootfs"))) + sbsec->flags |= SBLABEL_MNT; + /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ -- 2.10.3.dirty