On Fri, Jul 24, 2020 at 9:06 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > > > On 7/24/20 2:56 PM, Stephen Smalley wrote: > > On Fri, Jul 24, 2020 at 8:29 AM Dominick Grift > > <dominick.grift@xxxxxxxxxxx> wrote: > >> > >> > >> > >> On 7/24/20 2:23 PM, Stephen Smalley wrote: > >>> On Fri, Jul 24, 2020 at 3:54 AM Dominick Grift > >>> <dominick.grift@xxxxxxxxxxx> wrote: > >>>> > >>>> > >>>> > >>>> On 7/23/20 3:24 PM, Stephen Smalley wrote: > > I think for this kind of complete policy changeover, you need to > > relabel prior to rebooting. > > I think i tried that, but the extended attribute filesystems need to be > re-initialized AFAIK else fixfiles just returns with "Operation not > supported". Not sure if that strictly speaking requires a reboot or if > you can somehow do that with mount -o remount? > > Is there a way to enable labeling support of extended attribute > filesystems without rebooting? > > I think there was a patch recently by the Red Hat ContainerOS people to > enable labeling from the initramfs (ie labeling when SELinux is > disabled) How does that relate to the issue where I am seemingly not > able to relabel the filesystem after adding a fsuse trans rule without > rebooting? (ie SELinux is enabled, there is a fsuse xattr but the > filesystem hasnt been re-initialized yes and setfiles reports "operation > not supported") So, first, fs_use_* rules should be relatively standard across SELinux policies because they are more about the characteristics of the filesystem driver and what it supports than about a particular policy. The only thing policy-specific about them is the context to assign to filesystem/superblock. I updated scripts/selinux/mdp to auto-generate appropriate fs_use* rules for many filesystem types and I'd recommend using those rules in any new policy. Similarly, mdp can be used as a guide to which filesystem types should be using genfscon although incomplete. If there was a good general way that I could test for the properties of a filesystem type in the SELinux module code and automatically assign FS_USE_* and/or use of genfscon, I'd do that instead. Second, if your policy is changing these rules and the superblock has already been initialized, then the only way to get your new rule applied is if you can cause the old superblock to go away, e.g. unmount. And that won't work while it is in use. So rebooting if your only option if you cannot do that. Rebooting with SELinux disabled and then running setfiles will be the safest when performing a complete policy changeover since you will then have no interference by the old policy.
