On 8/19/20 3:16 PM, Stephen Smalley wrote:
On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
There are some corner cases currently, e.g. you can't remove the
security.selinux xattr if SELinux is enabled currently, and there are
various hardcoded error cases in the SELinux hook functions that could
potentially occur. Beyond that there is the memory and runtime
overhead. Getting people to start using selinux=0 if they want to
disable SELinux is definitely preferable.
We could try to eliminate those error cases by checking early for
selinux_initialized(state) in more of the hooks and bailing
immediately with success in that case, but we'd have to go through and
identify where we need that.
I did a quick look through error cases in the hook functions and it
appeared that the only case where we would return an error that isn't
already protected by a selinux_initialized() test or a test of enforcing
mode is the removexattr() check. So I just posted a patch to lift that
restriction if policy hasn't been loaded. Hopefully there aren't any
other user-visible differences.
