From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Smalley Subject: Re: lgetxattr()/getxattr() return different values on a file labelled with selinux disabled Date: Fri, 15 Mar 2013 08:53:40 -0400 Message-ID: <514319D4.6050200@tycho.nsa.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: jmorris@namei.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Paris To: Thomas COUDRAY Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On 03/15/2013 06:54 AM, Thomas COUDRAY wrote: > Hi, > I encounter trouble that I can't explain when labelling my files. > Here are steps to reproduce (on both 3.2.37 and 3.7.3, with selinux, on > an ext4 fs): > 0 - have a regular file "f", with a "before_t" security.selinux attribute > 1 - reboot with selinux=0 > 2 - change the label to "after_t" (setfattr or chcon) > 3 - both "ls -Z" (who calls lgetxattr(2)) and "getfattr -n > security.selinux" (who calls getxattr(2)) show "after_t" > 4 - reboot with selinux enabled > 5 - now ls prints "before_t", and getfattr "after_t". > > I ran a small test that calls both syscalls (lgetxattr/getxattr), I > get "before_t" as expected > If I touch /.autorelabel, both ls/getfattr give "before_t". f is truly a regular file and not a symlink pointing to a regular file? before_t and after_t are both defined in the policy? before_t and after_t are not type aliases of each other? What are the credentials (capabilities and SELinux security context/permissions) of the process running the ls and getfattr commands? Any relevant messages from SELinux in dmesg output?