This series contains two bugfixes that fix mounting the cgroup filesystem with the 'context=' option under SELinux (and potentially other cases as well). Changes in v2: - drop first patch (already picked up by cgroups maintainer) - extract the genfs special handling condition into a separate function - check for SBLABEL_MNT directly in selinux_inode_setsecurity() and in selinux_inode_notifysecctx() just translate -ENOTSUPP to 0 v1: https://lore.kernel.org/selinux/20181213141739.8534-1-omosnace@xxxxxxxxxx/ Note that this series is testable only with patch [1] applied (it has already been picked up by Tejun Heo, so I dopped it from this series). The first patch fixes SELinux to always disallow relabeling inodes that belong to a 'context=' mount. The second patch fixes SELinux to ignore security_inode_notifysecctx() calls and disallow security_inode_setsecurity() calls on inodes that belong to a 'context=' mount. Testing: Passed selinux-testsuite and verified using the reproducers. [1] https://lore.kernel.org/selinux/20181213141739.8534-2-omosnace@xxxxxxxxxx/ Ondrej Mosnacek (2): selinux: never allow relabeling on context mounts selinux: do not override context on context mounts security/selinux/hooks.c | 49 ++++++++++++++++++++++++++++++++-------- 1 file changed, 39 insertions(+), 10 deletions(-) -- 2.19.2
