This is a note to let you know that I've just added the patch titled afs: Fix SELinux setting security label on /afs to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: afs-fix-selinux-setting-security-label-on-afs.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit e34439c64b0aa19cd3526fda1ba3366299f92d32 Author: David Howells <dhowells@xxxxxxxxxx> Date: Mon Dec 9 15:04:45 2019 +0000 afs: Fix SELinux setting security label on /afs [ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ] Make the AFS dynamic root superblock R/W so that SELinux can set the security label on it. Without this, upgrades to, say, the Fedora filesystem-afs RPM fail if afs is mounted on it because the SELinux label can't be (re-)applied. It might be better to make it possible to bypass the R/O check for LSM label application through setxattr. Fixes: 4d673da14533 ("afs: Support the AFS dynamic root") Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Reviewed-by: Marc Dionne <marc.dionne@xxxxxxxxxxxx> cc: selinux@xxxxxxxxxxxxxxx cc: linux-security-module@xxxxxxxxxxxxxxx Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/fs/afs/super.c b/fs/afs/super.c index 488641b1a418..d9a6036b70b9 100644 --- a/fs/afs/super.c +++ b/fs/afs/super.c @@ -448,7 +448,6 @@ static int afs_fill_super(struct super_block *sb, struct afs_fs_context *ctx) /* allocate the root inode and dentry */ if (as->dyn_root) { inode = afs_iget_pseudo_dir(sb, true); - sb->s_flags |= SB_RDONLY; } else { sprintf(sb->s_id, "%llu", as->volume->vid); afs_activate_volume(as->volume);