On Tue, Sep 4, 2018 at 4:49 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > commit 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs") > broke mounting of cgroup2 under older SELinux policies which lacked > a genfscon rule for cgroup2. This prevents mounting of cgroup2 even > when SELinux is permissive. > > Change the handling when there is no genfscon rule in policy to > just mark the inode unlabeled and not return an error to the caller. > This permits mounting and access if allowed by policy, e.g. to > unconfined domains. > > I also considered changing the behavior of security_genfs_sid() to > never return -ENOENT, but the current behavior is relied upon by > other callers to perform caller-specific handling. > > Fixes: 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs") > CC: <stable@xxxxxxxxxxxxxxx> > Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > Reported-by: Waiman Long <longman@xxxxxxxxxx> > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > --- > security/selinux/hooks.c | 5 +++++ > 1 file changed, 5 insertions(+) Looks like a reasonable approach to me, merged into selinux/next, thanks. As a FYI, since the US holiday and LSS-NA delayed the start of merging things into selinux/next I've updated selinux/next on top of v4.19-rc2 instead of -rc1 this time around. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index f78318af8254..58fee382a3bb 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1508,6 +1508,11 @@ static int selinux_genfs_get_sid(struct dentry *dentry, > } > rc = security_genfs_sid(&selinux_state, sb->s_type->name, > path, tclass, sid); > + if (rc == -ENOENT) { > + /* No match in policy, mark as unlabeled. */ > + *sid = SECINITSID_UNLABELED; > + rc = 0; > + } > } > free_page((unsigned long)buffer); > return rc; > -- > 2.14.4 -- paul moore www.paul-moore.com