On Tue, Jan 28, 2025 at 10:12 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > Hello everyone, > > In a recent commit [1] that has already made it into the coreutils > package in Fedora Rawhide, ls changed the way it retrieves security > labels from files, which causes the SELinux label not to be displayed > with -Z for some files. It seems that the key difference is that it > now relies on the result of llistxattr(2) to determine if the label > should be retrieved and if security.selinux is not listed, it just > prints ? as if the file had no label. On some inodes on some > filesystems (e.g. the root inode on tmpfs or most sysfs inodes), > however, security.selinux is not currently returned in *listxattr(2), > so the labels are not shown even though they are there (and would be > returned in a *getxattr(2) call). > > We can of course ask coreutils to go back to fetching the label > unconditionally, but perhaps we should also/instead fix the > *listxattr(2) output to be correct? IIUC, in some cases it's a matter > of adding a security_inode_init_security() call, while other ones may > need a hook for listxattr that would inject the security.selinux entry > when it's not returned by the filesystem already. > > [1] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=4ce432ad8738387f1b2e80e883dc7080df3afabe There may be other side effects of that commit, e.g. loss of context translation if using mcstrans or equivalent. WRT to returning security.selinux, selinux_inode_listsecurity() already includes the SELinux xattr name so that should already be returned, unless the filesystem implements its own listxattr handler for security.* _and_ doesn't include the SELinux one.
