Hello everyone, In a recent commit [1] that has already made it into the coreutils package in Fedora Rawhide, ls changed the way it retrieves security labels from files, which causes the SELinux label not to be displayed with -Z for some files. It seems that the key difference is that it now relies on the result of llistxattr(2) to determine if the label should be retrieved and if security.selinux is not listed, it just prints ? as if the file had no label. On some inodes on some filesystems (e.g. the root inode on tmpfs or most sysfs inodes), however, security.selinux is not currently returned in *listxattr(2), so the labels are not shown even though they are there (and would be returned in a *getxattr(2) call). We can of course ask coreutils to go back to fetching the label unconditionally, but perhaps we should also/instead fix the *listxattr(2) output to be correct? IIUC, in some cases it's a matter of adding a security_inode_init_security() call, while other ones may need a hook for listxattr that would inject the security.selinux entry when it's not returned by the filesystem already. [1] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=4ce432ad8738387f1b2e80e883dc7080df3afabe -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
