[LU-13679] security.selinux xattr handling when SELinux is disabled Created: 15/Jun/20 Updated: 15/Jun/20 |
|
| Status: | Open |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.12.5 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Andrew Perepechko | Assignee: | WC Triage |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Severity: | 3 |
| Rank (Obsolete): | 9223372036854775807 |
| Description |
|
When SELinux is disabled, "security.selinux" does not have any special meaning. However, 1) security.selinux is filtered out from the xattr cache even when SELinux is disabled
} else if (!strcmp(xdata, "security.selinux")) {
/* Filter out security.selinux, it is cached in slab */
CDEBUG(D_CACHE, "not caching security.selinux\n");
rc = 0;
} else {
Lustre listxattr, as opposed to other Linux filesystems such as XFS, will not list "security.selinux", getxattr will not return its value. 2) security.selinux is not allowed to be modified or removed when SELinux is disabled
/* LU-549: Disable security.selinux when selinux is disabled */
if (xattr_type == XATTR_SECURITY_T && !selinux_is_enabled() &&
strcmp(name, "security.selinux") == 0)
RETURN(-EOPNOTSUPP);
This looks like a very old optimization of a case which is not completely clear to me. Under what circumstances would anyone modify security.selinux without SELinux enabled? Is it some sort of untar? If so, then is it correct to return EOPNOTSUPP instead of applying the xattr? Either way, without SELinux enabled, XFS allows security.selinux removal. |
| Comments |
| Comment by Andreas Dilger [ 15/Jun/20 ] |
|
Probably some searching in the Git history for this code would reveal details of the patch that committed this, and the LU or Bugzilla tickets around it. My recollection is that this was a performance optimization from before xattr cache, to avoid a useless RPC for every file to fetch the non-existent xattr when SELinux was not enabled. If we don't see an extra RPC today because the security.selinux xattr (or lack thereof) is cached on the client, then it seems time to remove this optimization. |