[LU-13679] security.selinux xattr handling when SELinux is disabled

Mon, 15 Jun 2020 21:31:28 +0000

When SELinux is disabled, "security.selinux" does not have any special meaning.

However,

1) security.selinux is filtered out from the xattr cache even when SELinux is disabled

                } else if (!strcmp(xdata, "security.selinux")) {
                        /* Filter out security.selinux, it is cached in slab */
                        CDEBUG(D_CACHE, "not caching security.selinux\n");
                        rc = 0;
                } else {

Lustre listxattr, as opposed to other Linux filesystems such as XFS, will not list "security.selinux", getxattr will not return its value.

2) security.selinux is not allowed to be modified or removed when SELinux is disabled

        /* LU-549:  Disable security.selinux when selinux is disabled */
        if (xattr_type == XATTR_SECURITY_T && !selinux_is_enabled() &&
            strcmp(name, "security.selinux") == 0)
                RETURN(-EOPNOTSUPP);

This looks like a very old optimization of a case which is not completely clear to me. Under what circumstances would anyone modify security.selinux without SELinux enabled? Is it some sort of untar? If so, then is it correct to return EOPNOTSUPP instead of applying the xattr?

Either way, without SELinux enabled, XFS allows security.selinux removal.

Whamcloud Community JIRA

[LU-13679] security.selinux xattr handling when SELinux is disabled