On Tue, Jun 20, 2017 at 1:12 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Tue, 2017-06-20 at 09:35 -0700, Jeff Vander Stoep wrote: >> In kernel version 4.1, tracefs was separated from debugfs into its >> own filesystem. Prior to this split, files in >> /sys/kernel/debug/tracing could be labeled during filesystem >> creation using genfscon or later from userspace using setxattr. This >> change re-enables support for genfscon labeling. >> >> Signed-off-by: Jeff Vander Stoep <jeffv@xxxxxxxxxx> > > I don't suppose we could get you to tackle > https://github.com/SELinuxProject/selinux-kernel/issues/2 > so that we don't have to keep patching these filesystem type > whitelists? +1 for Stephen's request. For what it's worth you'll also earn my appreciation, or your beverage of choice the next time we are in the same spot (I'd go for the drink if I were you, much more valuable). > That said, given that this is a user-visible regression, I'm ok with > this as the short term fix. > > Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> Looks fine to me too, merged into selinux/next. >> --- >> security/selinux/hooks.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> index 820c16e36af8..33fd061305c4 100644 >> --- a/security/selinux/hooks.c >> +++ b/security/selinux/hooks.c >> @@ -813,6 +813,7 @@ static int selinux_set_mnt_opts(struct >> super_block *sb, >> sbsec->flags |= SE_SBPROC | SE_SBGENFS; >> >> if (!strcmp(sb->s_type->name, "debugfs") || >> + !strcmp(sb->s_type->name, "tracefs") || >> !strcmp(sb->s_type->name, "sysfs") || >> !strcmp(sb->s_type->name, "pstore")) >> sbsec->flags |= SE_SBGENFS; -- paul moore www.paul-moore.com
