On Thu, Dec 19, 2019 at 3:16 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
> Default Debian sid kernel:
> Linux debian-test 5.3.0-3-amd64 #1 SMP Debian 5.3.15-1 (2019-12-07)
> x86_64 GNU/Linux
>
> Somehow symlinks do not inherit their parent label.
> They all have the root-sysfs label.
>
> Remounting sysfs with `mount -o remount -t sysfs /sys` leaves all
> symlinks with the root-sysfs label.
Hm... this seems to happen due to the !S_ISLNK(inode->i_mode)
condition in inode_doinit_with_dentry() introduced in ea6b184f7d521
("selinux: use default proc sid on symlinks"). Since the condition was
apparently only intended for procfs at that time, I think we can
change the condition to !((sbsec->flags & SE_SBPROC) &&
S_ISLNK(inode->i_mode)) to fix this for sysfs (et al.). Stephen, do
you agree? Or could the condition even be removed completely?
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
