> -----Original Message----- > From: owner-linux-security-module@xxxxxxxxxxxxxxx [mailto:owner-linux- > security-module@xxxxxxxxxxxxxxx] On Behalf Of Paul Moore > Sent: Tuesday, December 3, 2019 3:15 AM > To: Mimi Zohar <zohar@xxxxxxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxxxx; linux-security-module@xxxxxxxxxxxxxxx; > Roberto Sassu <roberto.sassu@xxxxxxxxxx>; initramfs > <initramfs@xxxxxxxxxxxxxxx> > Subject: Re: [GIT PULL] SELinux patches for v5.5 > > On December 2, 2019 9:00:35 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> > wrote: > > > On Mon, 2019-12-02 at 15:04 -0500, Paul Moore wrote: > >> On Mon, Dec 2, 2019 at 10:58 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> > wrote: > >>> [Truncated Cc list, adding Roberto and the initramfs mailing list] > >>> > >>> Hi Paul, > >>> > >>> On Tue, 2019-11-26 at 16:24 -0500, Paul Moore wrote: > >>> > >>>> - Allow file labeling before the policy is loaded. This should ease > >>>> some of the burden when the policy is initially loaded (no need to > >>>> relabel files), but it should also help enable some new system > >>>> concepts which dynamically create the root filesystem in the initrd. > >>> > >>> Any chance you're planning on using Roberto's patches for including > >>> security xattrs in the initramfs?[1] > >>> [1] https://www.spinics.net/lists/linux-initramfs/msg04771.html > >> > >> I'm assuming you're not asking about me personally? ;) > > > > No, of course not. I was wondering if "help enable some new system > > concepts which dynamically create the root filesystem in the initrd" > > adds SELinux labels on the root filesystem. > > Once again, that is more of a distro specific question. If recent changes allow file labeling before the SELinux policy is loaded, I think it would help the mechanism I developed. The SELinux label, IMA/EVM signature can be included in the ram disk (standard CPIO image), in a special file named METADATA!!! that follows the file xattrs are applied to. Roberto
