On Fri, Oct 20, 2023 at 8:21 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@xxxxxxx> wrote:
> >
> > Extended attribute copy-up functionality added via 19472b69d639d
> > ("selinux: Implementation for inode_copy_up_xattr() hook") sees
> > "security.selinux" contexts dropped, instead relying on contexts
> > applied via the inode_copy_up() hook.
> >
> > When copy-up takes place during early boot, prior to selinux
> > initialization / policy load, the context stripping can be unwanted
> > and unexpected. Make filtering dependent on selinux_initialized().
> >
> > RFC: This changes user behaviour so is likely unacceptable. Still,
> > I'd be interested in hearing other suggestions for how this could be
> > addressed.
>
> IMHO, this is fixing a bug, only affects early userspace (pre policy
> load), and is likely acceptable.
> But Paul will make the final call. We can't introduce and use a new
> policy capability here because this is before policy has been loaded.
I agree with Stephen, this is a bug fix so I wouldn't worry too much
about user visible behavior. For better or worse, the
SELinux-enabled-but-no-policy-loaded case has always been a bit
awkward and has required multiple patches over the years to correct
unwanted behaviors.
I'm open to comments on this, but I don't believe this is something we
want to see backported to the stable kernels, and considering we are
currently at v6.6-rc6, this isn't really a candidate for the upcoming
merge window. This means we have a few more weeks to comment, test,
etc. and one of the things I would like to see is a better description
of before-and-after labeling in the commit description. This helps
people who trip over this change, identify what changed, and helps
them resolve the problem on their systems.
Does that sound good?
--
paul-moore.com
