This is a note to let you know that I've just added the patch titled afs: Fix SELinux setting security label on /afs to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: afs-fix-selinux-setting-security-label-on-afs.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 2bc0217f2a84e3df2afa4ebb0387963443c29ecf Author: David Howells <dhowells@xxxxxxxxxx> Date: Mon Dec 9 15:04:45 2019 +0000 afs: Fix SELinux setting security label on /afs [ Upstream commit bcbccaf2edcf1b76f73f890e968babef446151a4 ] Make the AFS dynamic root superblock R/W so that SELinux can set the security label on it. Without this, upgrades to, say, the Fedora filesystem-afs RPM fail if afs is mounted on it because the SELinux label can't be (re-)applied. It might be better to make it possible to bypass the R/O check for LSM label application through setxattr. Fixes: 4d673da14533 ("afs: Support the AFS dynamic root") Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Reviewed-by: Marc Dionne <marc.dionne@xxxxxxxxxxxx> cc: selinux@xxxxxxxxxxxxxxx cc: linux-security-module@xxxxxxxxxxxxxxx Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/fs/afs/super.c b/fs/afs/super.c index 4d3e274207fb..bd2608297473 100644 --- a/fs/afs/super.c +++ b/fs/afs/super.c @@ -404,7 +404,6 @@ static int afs_fill_super(struct super_block *sb, /* allocate the root inode and dentry */ if (as->dyn_root) { inode = afs_iget_pseudo_dir(sb, true); - sb->s_flags |= SB_RDONLY; } else { sprintf(sb->s_id, "%u", as->volume->vid); afs_activate_volume(as->volume);