On 1/8/20 8:41 AM, Ondrej Mosnacek wrote:
On Thu, Dec 19, 2019 at 3:16 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
Default Debian sid kernel:
Linux debian-test 5.3.0-3-amd64 #1 SMP Debian 5.3.15-1 (2019-12-07)
x86_64 GNU/Linux
Somehow symlinks do not inherit their parent label.
They all have the root-sysfs label.
Remounting sysfs with `mount -o remount -t sysfs /sys` leaves all
symlinks with the root-sysfs label.
Hm... this seems to happen due to the !S_ISLNK(inode->i_mode)
condition in inode_doinit_with_dentry() introduced in ea6b184f7d521
("selinux: use default proc sid on symlinks"). Since the condition was
apparently only intended for procfs at that time, I think we can
change the condition to !((sbsec->flags & SE_SBPROC) &&
S_ISLNK(inode->i_mode)) to fix this for sysfs (et al.). Stephen, do
you agree? Or could the condition even be removed completely?
IIRC, it was to avoid a compatibility break and we didn't consider it
useful to support fine-grained labeling of symlinks in proc since the
only operation is readlink.
