On Fri, Jun 5, 2020 at 9:23 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Fri, Jun 5, 2020 at 2:21 AM Chirantan Ekbote <chirantan@xxxxxxxxxxxx> wrote: > > > > > The background for this patch is that I have a fuse server that runs > > in a user namespace. It runs as root in that namespace and keeps all > > the file system caps so that it can set selinux xattrs. However, it > > cannot set the sehash xattr as that needs CAP_SYS_ADMIN in the parent > > namespace. Looking at the code I thought that might have just been an > > oversight but if it's intentional then do you have any suggestions for > > how to make this work? I'd rather not weaken the sandbox for this > > process just so that it can set this one xattr. > > I'd be willing to move from requiring CAP_SYS_ADMIN to performing a > SELinux permission check (either FILE__RELABELFROM or a new one), but > I'd like the Android folks to chime in here. Maybe you can ping them > through other channels since they haven't responded yet. I contacted them separately and they are not interested in relaxing the requirements and also said that the kernel shouldn't have any knowledge of the sehash xattr. So I guess we can just drop this. Thanks, Chirantan
