On Thu, Aug 20, 2020 at 1:00 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > Currently SELinux denies attempts to remove the security.selinux xattr > always, even when permissive or no policy is loaded. This was originally > motivated by the view that all files should be labeled, even if that label > is unlabeled_t, and we shouldn't permit files that were once labeled to > have their labels removed entirely. This however prevents removing > SELinux xattrs in the case where one "disables" SELinux by not loading > a policy (e.g. a system where runtime disable is removed and selinux=0 > was not specified). Allow removing the xattr before SELinux is > initialized. We could conceivably permit it even after initialization > if permissive, or introduce a separate permission check here. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > security/selinux/hooks.c | 3 +++ > 1 file changed, 3 insertions(+) I'm in no rush to allow removing labels/xattrs if a policy is loaded, but it does make sense if one isn't loaded, especially when one considers the desire to get rid of the runtime disable. Merged into selinux/next, thanks. -- paul moore www.paul-moore.com
