On Tue, Jan 28, 2025 at 10:27 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Tue, Jan 28, 2025 at 10:12 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > Hello everyone, > > > > In a recent commit [1] that has already made it into the coreutils > > package in Fedora Rawhide, ls changed the way it retrieves security > > labels from files, which causes the SELinux label not to be displayed > > with -Z for some files. It seems that the key difference is that it > > now relies on the result of llistxattr(2) to determine if the label > > should be retrieved and if security.selinux is not listed, it just > > prints ? as if the file had no label. On some inodes on some > > filesystems (e.g. the root inode on tmpfs or most sysfs inodes), > > however, security.selinux is not currently returned in *listxattr(2), > > so the labels are not shown even though they are there (and would be > > returned in a *getxattr(2) call). > > > > We can of course ask coreutils to go back to fetching the label > > unconditionally, but perhaps we should also/instead fix the > > *listxattr(2) output to be correct? IIUC, in some cases it's a matter > > of adding a security_inode_init_security() call, while other ones may > > need a hook for listxattr that would inject the security.selinux entry > > when it's not returned by the filesystem already. > > > > [1] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=4ce432ad8738387f1b2e80e883dc7080df3afabe > > There may be other side effects of that commit, e.g. loss of context > translation if using mcstrans or equivalent. Out of curiosity, do we have any idea of the motivation behind that change? The commit description is poorly formatted, but it looks like a number of changes that are only loosely related around xattrs with the only motivation appearing to be in the subject: "use fewer xattr-related syscalls". Regardless, I think Stephen has a good point with the potential for a loss of translation surprising some users. > WRT to returning security.selinux, selinux_inode_listsecurity() > already includes the SELinux xattr name so that should already be > returned, > unless the filesystem implements its own listxattr handler for > security.* _and_ doesn't include the SELinux one. I can't think of a good reason why we would ever want the *listxattr() syscalls to not provide security.selinux, if there is an individual filesystem that is different/broken in this regard it should be treated as a BUG and fixed. -- paul-moore.com
