From: David Disseldorp <ddiss@suse.de>
To: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <stephen.smalley.work@gmail.com>,
selinux@vger.kernel.org, linux-unionfs@vger.kernel.org
Subject: Re: [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized
Date: Fri, 20 Oct 2023 22:33:27 +0200 [thread overview]
Message-ID: <20231020223327.09a6a12b@echidna.fritz.box> (raw)
In-Reply-To: <CAHC9VhTLjcQXNoc8L3Uw=TRRghLuA_TnQbRkGtwnCu4kxVXE0g@mail.gmail.com>
Hi Paul and Stephen,
On Fri, 20 Oct 2023 11:55:31 -0400, Paul Moore wrote:
> On Fri, Oct 20, 2023 at 8:21 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > On Wed, Oct 18, 2023 at 6:08 AM David Disseldorp <ddiss@suse.de> wrote:
> > >
> > > Extended attribute copy-up functionality added via 19472b69d639d
> > > ("selinux: Implementation for inode_copy_up_xattr() hook") sees
> > > "security.selinux" contexts dropped, instead relying on contexts
> > > applied via the inode_copy_up() hook.
> > >
> > > When copy-up takes place during early boot, prior to selinux
> > > initialization / policy load, the context stripping can be unwanted
> > > and unexpected. Make filtering dependent on selinux_initialized().
> > >
> > > RFC: This changes user behaviour so is likely unacceptable. Still,
> > > I'd be interested in hearing other suggestions for how this could be
> > > addressed.
> >
> > IMHO, this is fixing a bug, only affects early userspace (pre policy
> > load), and is likely acceptable.
> > But Paul will make the final call. We can't introduce and use a new
> > policy capability here because this is before policy has been loaded.
>
> I agree with Stephen, this is a bug fix so I wouldn't worry too much
> about user visible behavior. For better or worse, the
> SELinux-enabled-but-no-policy-loaded case has always been a bit
> awkward and has required multiple patches over the years to correct
> unwanted behaviors.
Understood.
> I'm open to comments on this, but I don't believe this is something we
> want to see backported to the stable kernels, and considering we are
> currently at v6.6-rc6, this isn't really a candidate for the upcoming
> merge window. This means we have a few more weeks to comment, test,
> etc. and one of the things I would like to see is a better description
> of before-and-after labeling in the commit description. This helps
> people who trip over this change, identify what changed, and helps
> them resolve the problem on their systems.
>
> Does that sound good?
That sounds good to me. I'll rework the commit description (and comment
above this change), do some further testing and then submit a v2.
Thanks for your feedback,
David
next prev parent reply other threads:[~2023-10-20 20:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-18 10:08 [PATCH] RFC: selinux: don't filter copy-up xattrs while uninitialized David Disseldorp
2023-10-20 12:21 ` Stephen Smalley
2023-10-20 15:55 ` Paul Moore
2023-10-20 20:33 ` David Disseldorp [this message]
2023-11-20 23:03 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231020223327.09a6a12b@echidna.fritz.box \
--to=ddiss@suse.de \
--cc=linux-unionfs@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox