On Wed, Jan 8, 2020 at 8:41 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> On Thu, Dec 19, 2019 at 3:16 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> > Default Debian sid kernel:
> > Linux debian-test 5.3.0-3-amd64 #1 SMP Debian 5.3.15-1 (2019-12-07)
> > x86_64 GNU/Linux
> >
> > Somehow symlinks do not inherit their parent label.
> > They all have the root-sysfs label.
> >
> > Remounting sysfs with `mount -o remount -t sysfs /sys` leaves all
> > symlinks with the root-sysfs label.
>
> Hm... this seems to happen due to the !S_ISLNK(inode->i_mode)
> condition in inode_doinit_with_dentry() introduced in ea6b184f7d521
> ("selinux: use default proc sid on symlinks"). Since the condition was
> apparently only intended for procfs at that time, I think we can
> change the condition to !((sbsec->flags & SE_SBPROC) &&
> S_ISLNK(inode->i_mode)) to fix this for sysfs (et al.). Stephen, do
> you agree? Or could the condition even be removed completely?
It looks like this was generalized to genfs in 134509d54e4e ("selinux:
enable per-file labeling for debugfs files.") but unfortunately there
doesn't appear to be any discussion of link handling in the patch.
I'm definitely not a debugfs expert, but based on my limited knowledge
and a rather liberal interpretation of the commit decription in the
patch mentioned above, it would appear that expanding the procfs link
handling to debugfs was intended. This makes me wonder if the proper
solution is to create another sbsec->flag specifically for link
handling?
--
paul moore
www.paul-moore.com
