git.baikalelectronics.ru Git - kernel.git/commit

author	Jonathan Lebon <jlebon@redhat.com>
	Thu, 28 May 2020 14:39:40 +0000 (10:39 -0400)
committer	Paul Moore <paul@paul-moore.com>
	Wed, 24 Jun 2020 00:42:38 +0000 (20:42 -0400)
commit	49a0e1e889229ea58bee92c3051fe8cda5da7547
tree	cbbab81df5052aa571c35e91b493936204e991fe	tree \| snapshot
parent	74a27a5f5a99e6b5adfd790053b6cccac3270c76	commit \| diff

selinux: allow reading labels before policy is loaded

This patch does for `getxattr` what commit 03a97c42d325 ("selinux: allow
labeling before policy is loaded") did for `setxattr`; it allows
querying the current SELinux label on disk before the policy is loaded.

One of the motivations described in that commit message also drives this
patch: for Fedora CoreOS (and eventually RHEL CoreOS), we want to be
able to move the root filesystem for example, from xfs to ext4 on RAID,
on first boot, at initrd time.[1]

Because such an operation works at the filesystem level, we need to be
able to read the SELinux labels first from the original root, and apply
them to the files of the new root. The previous commit enabled the
second part of this process; this commit enables the first part.

[1] https://github.com/coreos/fedora-coreos-tracker/issues/94

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>