[LU-13679] security.selinux xattr handling when SELinux is disabled Created: 15/Jun/20  Updated: 15/Jun/20

Status: Open
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.12.5
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Andrew Perepechko Assignee: WC Triage
Resolution: Unresolved Votes: 0
Labels: None

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

When SELinux is disabled, "security.selinux" does not have any special meaning.

However,

1) security.selinux is filtered out from the xattr cache even when SELinux is disabled

                } else if (!strcmp(xdata, "security.selinux")) {
                        /* Filter out security.selinux, it is cached in slab */
                        CDEBUG(D_CACHE, "not caching security.selinux\n");
                        rc = 0;
                } else {

Lustre listxattr, as opposed to other Linux filesystems such as XFS, will not list "security.selinux", getxattr will not return its value.

2) security.selinux is not allowed to be modified or removed when SELinux is disabled

        /* LU-549:  Disable security.selinux when selinux is disabled */
        if (xattr_type == XATTR_SECURITY_T && !selinux_is_enabled() &&
            strcmp(name, "security.selinux") == 0)
                RETURN(-EOPNOTSUPP);

This looks like a very old optimization of a case which is not completely clear to me. Under what circumstances would anyone modify security.selinux without SELinux enabled? Is it some sort of untar? If so, then is it correct to return EOPNOTSUPP instead of applying the xattr?

Either way, without SELinux enabled, XFS allows security.selinux removal.

 Comments   
Comment by Andreas Dilger [ 15/Jun/20 ]

Probably some searching in the Git history for this code would reveal details of the patch that committed this, and the LU or Bugzilla tickets around it. My recollection is that this was a performance optimization from before xattr cache, to avoid a useless RPC for every file to fetch the non-existent xattr when SELinux was not enabled. If we don't see an extra RPC today because the security.selinux xattr (or lack thereof) is cached on the client, then it seems time to remove this optimization.

Generated at Sat Feb 10 03:03:17 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.