On Thu, Aug 20, 2020 at 12:58:31PM -0400, Stephen Smalley wrote: > On 8/19/20 3:16 PM, Stephen Smalley wrote: > > > On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > > > There are some corner cases currently, e.g. you can't remove the > > > security.selinux xattr if SELinux is enabled currently, and there are > > > various hardcoded error cases in the SELinux hook functions that could > > > potentially occur. Beyond that there is the memory and runtime > > > overhead. Getting people to start using selinux=0 if they want to > > > disable SELinux is definitely preferable. > > We could try to eliminate those error cases by checking early for > > selinux_initialized(state) in more of the hooks and bailing > > immediately with success in that case, but we'd have to go through and > > identify where we need that. > > I did a quick look through error cases in the hook functions and it appeared > that the only case where we would return an error that isn't already > protected by a selinux_initialized() test or a test of enforcing mode is the > removexattr() check. So I just posted a patch to lift that restriction if > policy hasn't been loaded. Hopefully there aren't any other user-visible > differences. > Thank you. I'll be next 3 days offline but I'll document it and test it on Monday.
Attachment:
signature.asc
Description: PGP signature
