Comments (2)
hey, so I'm just guessing, but grepping around the kernel source I see this:
╎❯ git grep SECURITY_FS_USE_XATTR
security/selinux/hooks.c: case SECURITY_FS_USE_XATTR:
security/selinux/hooks.c: if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
security/selinux/hooks.c: if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
security/selinux/hooks.c: if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
security/selinux/hooks.c: case SECURITY_FS_USE_XATTR:
security/selinux/hooks.c: * that first. We could split SECURITY_FS_USE_XATTR in
security/selinux/include/security.h:#define SECURITY_FS_USE_XATTR 1 /* use xattr */
So nothing explicitly sets that behavior. Are there other ways the behavior can get set?
╎❯ git grep 'behavior =.*' |grep -v SECURITY_FS
hooks.c: newsbsec->behavior = oldsbsec->behavior;
ss/policydb.c: c->v.behavior = le32_to_cpu(buf[0]);
ss/services.c: sbsec->behavior = c->v.behavior;
So we can see the hooks.c
one is just duping an object or something so that's not it. It looks like the services.c
one is setting the behavior to whatever comes from the policydb.c
one.
Looking at it closer we have
•
static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,•
→ → → void *fp)•
...
→ → → case OCON_FSUSE:•
→ → → → rc = next_entry(buf, fp, sizeof(u32)*2);•
→ → → → if (rc)•
→ → → → → goto out;•
•
→ → → → rc = -EINVAL;•
→ → → → c->v.behavior = le32_to_cpu(buf[0]);•
So to continue guessing... policydb is probably the selinux policy, and there's some "fs use" feature in the policy that's pertinent.
So on that hunch, I just checked out the selinux policy in fedora and greped
╎❯ grep xattr . -R | grep fs |grep use
...
./policy/modules/kernel/filesystem.te:fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr vxfs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr odms gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr vxclonefs gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
./policy/modules/kernel/filesystem.te:fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0);
...
So it seems like (assuming all my unsubstantiated guesses are right) that the selinux policy needs to be updated to have an entry for composefs
from composefs.
Ah, that makes sense, and I remember actually having to do this for ostreefs a while ago too. I think I made a module you could load to fix this even. I guess we need to document what you need to do here until we get the fs upstream.
from composefs.
Related Issues (20)
- Sudo does not work HOT 3
- Consider using BitTorrent v2-like protocol for image content transfer? HOT 1
- Add shared library/tool for managing backing store files HOT 14
- better loopback handling (hiding it) HOT 25
- Upstream dependencies HOT 3
- consider verifying signatures in userspace HOT 18
- Add bloom filter data to erofs images HOT 10
- consider adding ima as alternative HOT 1
- handle nested whiteouts HOT 12
- support for reading .cfs images HOT 1
- Post 1.0 tasks HOT 2
- Game out a plan for a 1.1 format HOT 3
- portability issues found while packaging HOT 11
- composefs-from-json gets wrong mtime (because of tzone) on musl HOT 2
- composefs-from-json: seccomp breaks stdio on musl
- Specfile has wrong license
- mount.composefs fails with `Failed to mount composefs example.cfs: No such file or directory` when upperdir has a comma in the name HOT 1
- depending on libfsverity HOT 1
- Contrast security properties against dm-verity and IMA
- Run distcheck in CI HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from composefs.