Hi, On Mon, Oct 04, 2021 at 09:44:49AM +0800, Gao Xiang wrote: > On Sun, Oct 03, 2021 at 08:31:18PM -0400, David Michael wrote: > > On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <[email protected]> wrote: > > > Hi David, > > > > > > On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote: > > > > Hi, > > > > > > > > I tried to make an SELinux-labeled EROFS image, and the image itself > > > > seems to contain the labels from a hex dump, but the mounted files are > > > > all unlabeled: > > > > > > > > # ls -lZ xml > > > > total 8 > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0 4096 Sep > > > > 29 21:43 dbus-1 > > > > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep > > > > 29 22:19 fontconfig > > > > # mkfs.erofs test.img xml > > > > mkfs.erofs 1.3-g4e183568-dirty > > > > c_version: [1.3-g4e183568-dirty] > > > > c_dbg_lvl: [ 2] > > > > c_dry_run: [ 0] > > > > # mount -o X-mount.mkdir test.img test > > > > # ls -lZ test > > > > total 8 > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct 2 > > > > 18:37 dbus-1 > > > > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct 2 > > > > 18:37 fontconfig > > > > > > > > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with > > > > the relevant config options: > > > > > > > > CONFIG_EROFS_FS=m > > > > # CONFIG_EROFS_FS_DEBUG is not set > > > > CONFIG_EROFS_FS_XATTR=y > > > > CONFIG_EROFS_FS_POSIX_ACL=y > > > > CONFIG_EROFS_FS_SECURITY=y > > > > CONFIG_EROFS_FS_ZIP=y > > > > > > > > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and > > > > it also has the same issue. However, the earliest kernel in Fedora 33 > > > > (5.8.15-301.fc33.x86_64) has the correct labels when the image is > > > > mounted. Is there a problem in the file system driver, or do I need to > > > > do something different for newer kernels? > > > > > > Thanks for your report! > > > > > > I don't think there is any difference between 5.8 - 5.14 on EROFS selinux > > > xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10. > > > > > > Would you mind checking if Fedora kernels did something new for EROFS or > > > something else on fc34? Can you check if the images work on upstream > > > kernels? > > > > The labels failed in the same way on every distro I tried: Fedora, > > openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo > > (5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened). > > > > I noticed that the labels appear correctly when the system is running > > with SELinux disabled, but booting with it enabled results in > > unlabeled_t labels on erofs mounts. > > May I ask what "getfattr -m security.selinux" returns for these files if > the issue happens? > > I have no idea what's wrong with the recent versions. I'll dig info it > further. But it needs some extra time.
I found SECURITY_FS_USE_XATTR was not set due to lack of proper sepolicy. I've sent out a patch to refpolicy to address this: https://lore.kernel.org/selinux-refpolicy/[email protected]/ Actually Android has its own sepolicy and doesn't use refpolicy above. We updated it several years ago. But refpolicy seems not. As for why Fedora 33 works, I have no clue yet (don't have much time on digging this.) Thanks, Gao Xiang
