On Mon, Dec 7, 2020 at 9:45 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > Hi everyone, > > In [1] we ran into a problem with the current handling of filesystem > labeling rules. Basically, it is only possible to specify either > genfscon or fs_use_xattr for a given filesystem, but in the case of > virtiofs, certain mounts may support security xattrs, while other ones > may not. > > So we can't use the xattr support by adding fs_use_xattr virtiofs > (...); to the policy, because then a non-xattr mount will fail > (SELinux does a mount-time check on the root inode to make sure that > the xattr handler works), but we also don't want to stay on genfscon, > because then we can't relabel files. > > So my question is how to best address this? One option is to use a > similar "hack" as for cgroupfs; i.e. do a kind of mixed genfs-xattr > labeling, but that's ugly and requires hard-coding another FS name in > the selinux code. The only other alternative I could come up with is > to add a new FS labeling statement that would specify some kind of > mixed genfscon / fs_use_xattr behavior. That would be a better > long-term solution, but leads to more questions on how such statement > should actually work... Should it work the cgroupfs way, giving a > default label to everything and allowing to set/change labels via > xattrs? Or should it rather just detect xattrs support and switch > between SECURITY_FS_USE_XATTR and SECURITY_FS_USE_GENFS behavior based > on that? In the latter case, should the statement specify two contexts > (one for fs_use_xattr and another one for genfscon) or just one for > both behaviors? > I don't think adding a new statement is necessary. It seems like allowing both fs_use_xattr and genfscon rules for the filesystem in policy and then using the fs_use_xattr rule if xattrs are supported while falling back to the genfscon rule if they are not would do what you need. Jim > Any thoughts/pointers welcome. > > [1] https://github.com/fedora-selinux/selinux-policy/pull/478 > > -- > Ondrej Mosnacek > Software Engineer, Platform Security - SELinux kernel > Red Hat, Inc. >
