On 07/04/2025 23:10, Paul Eggert wrote:
On 4/5/25 18:49, Rahul Sandhu wrote:
the security context xattr only shows when specifically
requesting it by passing the arguments -n 'security.selinux' to the
command line:
rsandhu@graphite ~ $ getfattr -d -m '' /run/credentials
<no output>
rsandhu@graphite ~ $ getfattr -n 'security.selinux' /run/credentials
getfattr: Removing leading '/' from absolute path names
# file: run/credentials
security.selinux="system_u:object_r:tmpfs_t:s0"
I don't observe the problem on my Fedora 41 platform. What happens when
you run this command?
strace -o tr getfattr -d -m '' /run/credentials
On Fedora, 'tr' ends like this:
...
newfstatat(AT_FDCWD, "/run/credentials", {st_mode=S_IFDIR|0755,
st_size=200, ...}, AT_SYMLINK_NOFOLLOW) = 0
listxattr("/run/credentials", NULL, 0) = 17
listxattr("/run/credentials", "security.selinux\0", 256) = 17
getxattr("/run/credentials", "security.selinux", NULL, 0) = 31
getxattr("/run/credentials", "security.selinux",
"system_u:object_r:var_run_t:s0", 256) = 31
write(2, "getfattr: Removing leading '/' f"..., 56) = 56
...
which means listxattr is operating correctly. What does listxattr do on
your platform?
I get the same for /run/credentials on Fedora 41 (6.13.6-200.fc41.x86_64) here,
but I do repro the issue with /run/initramfs.
$ strace --trace=/.*xattr.* getfattr -d -m '' /run/initramfs
listxattr("/run/initramfs", NULL, 0) = 0
$ strace --trace=/.*xattr.* getfattr -n 'security.selinux' /run/initramfs
getxattr("/run/initramfs", "security.selinux", NULL, 0) = 29
getxattr("/run/initramfs", "security.selinux",
"system_u:object_r:tmpfs_t:s0", 256) = 29
getfattr: Removing leading '/' from absolute path names
# file: run/initramfs
security.selinux="system_u:object_r:tmpfs_t:s0"
If listxattr is returning 0, that would seem to be a bug in listxattr,
and perhaps we can figure out which platforms have the bug and work
around it. For example, perhaps we could run 'listxattr("/run", NULL,
0)' and use a (slower) workaround only if that returns 0. The idea is to
do the workaround only on the affected platforms.
Unfortunately that won't work.
$ strace --trace=/.*xattr.* getfattr -d -m '' /run/
listxattr("/run/", NULL, 0) = 17
I'm not sure how we could distinguish this case.
$ stat /run/initramfs
File: /run/initramfs
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: 0,26 Inode: 20 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:tmpfs_t:s0
$ stat /run
File: /run
Size: 1600 Blocks: 0 IO Block: 4096 directory
Device: 0,26 Inode: 1 Links: 58
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:var_run_t:s0
Note /run/initramfs is the only problematic entry for me,
and that's the only entry with "tmpfs_t" in the context.
As for efficiency, on SELinux systems listxattr() would generally never return
0,
but yes on others we'd we doing an extra getxattr().
So maybe we class this as a kernel bug and have the kernel
return non 0 for this case, or even ENOTSUP.
cheers,
Pádraig
