For some reason selinux decides that composefs doesn't support xattrs for storing the

Xattrs not used for `security.selinux` about composefs HOT 2 CLOSED

containers commented on June 4, 2024

Xattrs not used for `security.selinux`

from composefs.

Comments (2)

halfline commented on June 4, 2024

hey, so I'm just guessing, but grepping around the kernel source I see this:

╎❯ git grep SECURITY_FS_USE_XATTR
security/selinux/hooks.c:       case SECURITY_FS_USE_XATTR:
security/selinux/hooks.c:       if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
security/selinux/hooks.c:               if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
security/selinux/hooks.c:               if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
security/selinux/hooks.c:       case SECURITY_FS_USE_XATTR:
security/selinux/hooks.c:                        * that first.  We could split SECURITY_FS_USE_XATTR in
security/selinux/include/security.h:#define SECURITY_FS_USE_XATTR               1 /* use xattr */

So nothing explicitly sets that behavior. Are there other ways the behavior can get set?

╎❯ git grep 'behavior =.*' |grep -v SECURITY_FS
hooks.c:	newsbsec->behavior = oldsbsec->behavior;
ss/policydb.c:				c->v.behavior = le32_to_cpu(buf[0]);
ss/services.c:		sbsec->behavior = c->v.behavior;

So we can see the hooks.c one is just duping an object or something so that's not it. It looks like the services.c one is setting the behavior to whatever comes from the policydb.c one.

Looking at it closer we have

•
static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,•
→       →       →        void *fp)•
...
→       →       →       case OCON_FSUSE:•
→       →       →       →       rc = next_entry(buf, fp, sizeof(u32)*2);•
→       →       →       →       if (rc)•
→       →       →       →       →       goto out;•
•
→       →       →       →       rc = -EINVAL;•
→       →       →       →       c->v.behavior = le32_to_cpu(buf[0]);•

So to continue guessing... policydb is probably the selinux policy, and there's some "fs use" feature in the policy that's pertinent.

So on that hunch, I just checked out the selinux policy in fedora and greped

╎❯ grep xattr . -R | grep fs |grep use
...
./policy/modules/kernel/filesystem.te:fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr vxfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr odms gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr vxclonefs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0);
...

So it seems like (assuming all my unsubstantiated guesses are right) that the selinux policy needs to be updated to have an entry for composefs

from composefs.

alexlarsson commented on June 4, 2024

Ah, that makes sense, and I remember actually having to do this for ostreefs a while ago too. I think I made a module you could load to fix this even. I guess we need to document what you need to do here until we get the fs upstream.

from composefs.

Xattrs not used for `security.selinux` about composefs HOT 2 CLOSED

Comments (2)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent