On Mon, May 25, 2020 at 1:14 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > I might be missing something, but couldn't you achieve the same by > simply adding something like this in here: > > if (!selinux_initialized(&selinux_state)) > return -EOPNOTSUPP; > > (Or by adding it to the condition above.) > > Then you should hit this condition here and be all set: > https://elixir.bootlin.com/linux/v5.7-rc7/source/fs/xattr.c#L337 OK, I tried this now and it does work well at least for our use case. It's clearly a much simpler patch as well, which is nice. So assuming my questions from the previous email don't raise any concerns, I'm happy to switch to that instead. One thing worth mentioning is that both patches change the behaviour of `getxattr` for inodes on SE_SBGENFS superblocks. For example, before, `getxattr("/proc", "security.selinux")` would return `unlabeled_t`. Now it gets EOPNOTSUPP instead. Anyway, I think this is fine overall and consistent with the behaviour change proposed, but just wanted to flag it.
