Hey,
coreutils 9.6 appears to have a regression in `ls(1)` for SELinux-aware
builds. `ls -Z` fails to obtain the security context for certain
filesystem objects (e.g. `/sys`). Example to reproduce on Gentoo with
refpolicy:
rsandhu@graphite ~ $ ls -alZ /run/ | grep '?'
drwxr-xr-x 3 root root ?
60 Apr 5 16:38 credentials
drwxr-xr-x 3 root root ?
80 Apr 2 16:30 initramfs
drwxr-xr-x 2 root root ?
40 Apr 2 16:23 modprobe.d
rsandhu@graphite ~ $ getfilecon /run/{credentials,initramfs,modprobe.d}
/run/credentials system_u:object_r:tmpfs_t:s0
/run/initramfs system_u:object_r:tmpfs_t:s0
/run/modprobe.d system_u:object_r:tmpfs_t:s0
Since 432ad8738387f1b2e80e883dc7080df3afabe, coreutils attempts to list
all attributes instead of specifically getting the "security.selinux"
xattr via `getxattr(2)` (which is what libselinux internally calls). As
seen below, the security context xattr only shows when specifically
requesting it by passing the arguments -n 'security.selinux' to the
command line:
rsandhu@graphite ~ $ getfattr -d -m '' /run/credentials
<no output>
rsandhu@graphite ~ $ getfattr -n 'security.selinux' /run/credentials
getfattr: Removing leading '/' from absolute path names
# file: run/credentials
security.selinux="system_u:object_r:tmpfs_t:s0"
Reverting this commit[1], which no longer handles this case, fixes the
regression.
case.
More information is available in the related post on the SELinux mailing
list[2].
Thanks,
Rahul
[1]
https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=4ce432ad8738387f1b2e80e883dc7080df3afabe
[2]
https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=ioawx4y77ph0ecfcqcuuj+t87f...@mail.gmail.com/
