On Wed, Jan 13, 2021 at 7:38 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > When a superblock is assigned the SECURITY_FS_USE_XATTR behavior by the > policy yet it lacks xattr support, try to fall back to genfs rather than > rejecting the mount. If a genfscon rule is found for the filesystem, > then change the behavior to SECURITY_FS_USE_GENFS, otherwise reject the > mount as before. A similar fallback is already done in security_fs_use() > if no behavior specification is found for the given filesystem. > > This is needed e.g. for virtiofs, which may or may not support xattrs > depending on the backing host filesystem. > > Example: > # seinfo --genfs | grep ' ramfs' > genfscon ramfs / system_u:object_r:ramfs_t:s0 > # echo '(fsuse xattr ramfs (system_u object_r fs_t ((s0) (s0))))' >ramfs_xattr.cil > # semodule -i ramfs_xattr.cil > # mount -t ramfs none /mnt > > Before: > mount: /mnt: mount(2) system call failed: Operation not supported. > > After: > (mount succeeds) > # ls -Zd /mnt > system_u:object_r:ramfs_t:s0 /mnt > > See also: > https://lore.kernel.org/selinux/20210105142148.GA3200@xxxxxxxxxx/T/ > https://github.com/fedora-selinux/selinux-policy/pull/478 > > Cc: Vivek Goyal <vgoyal@xxxxxxxxxx> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > > v2: > - incorporated Paul's suggestions > - corrected the `ls` command in reproducer > > security/selinux/hooks.c | 77 +++++++++++++++++++++++++++------------- > 1 file changed, 52 insertions(+), 25 deletions(-) This looks better to me, merged into selinux/next. Thanks Ondrej! -- paul moore www.paul-moore.com