On 07/04/2025 19:22, Pádraig Brady wrote:
On 07/04/2025 19:03, Pádraig Brady wrote:
On 06/04/2025 02:49, Rahul Sandhu wrote:
Hey,
coreutils 9.6 appears to have a regression in `ls(1)` for SELinux-aware
builds. `ls -Z` fails to obtain the security context for certain
filesystem objects (e.g. `/sys`). Example to reproduce on Gentoo with
refpolicy:
rsandhu@graphite ~ $ ls -alZ /run/ | grep '?'
drwxr-xr-x 3 root root ?
60 Apr 5 16:38 credentials
drwxr-xr-x 3 root root ?
80 Apr 2 16:30 initramfs
drwxr-xr-x 2 root root ?
40 Apr 2 16:23 modprobe.d
This may be fixed with https://github.com/coreutils/coreutils/commit/cb2abbac7
Could you try the latest snapshot to see if it fixes this for you?
wget https://pixelbeat.org/cu/coreutils-ss.tar.xz
tar -xf coreutils-ss.tar.xz
cd coreutils-9.6.53-14af8/
./configure && make -j4
src/ls -alZ /run/
Actually sorry the above will not address this.
I'll have a deeper look now.
The attached gnulib patch passes quick tests here.
I'll think some more about it and apply later.
thanks,
Pádraig
--- /home/padraig/git/gnulib/lib/file-has-acl.c 2025-03-21 11:53:43.211569948 +0000
+++ lib/file-has-acl.c 2025-04-07 18:54:45.586832394 +0000
@@ -50,6 +50,7 @@
# include <selinux/selinux.h>
# endif
# include <stdckdint.h>
+# include <stdint.h>
# include <string.h>
# include <arpa/inet.h>
# include <sys/xattr.h>
@@ -102,13 +103,17 @@
This is the case when [l]listxattr failed with E2BIG,
or is not supported (!acl_errno_valid()), or failed with EACCES
which in Linux kernel 6.12 NFS can mean merely that we lack read access.
+ Also ai->size == 0 was seen with certain file system objects on Linux,
+ like /run/initramfs where listxattr() returns 0
+ but getxattr("security.selinux") returns data.
*/
static bool
aclinfo_may_indicate_xattr (struct aclinfo const *ai)
{
- return ai->size < 0 && (!acl_errno_valid (ai->u.err)
- || ai->u.err == EACCES || ai->u.err == E2BIG);
+ return ai->size == 0
+ || (ai->size < 0 && (!acl_errno_valid (ai->u.err)
+ || ai->u.err == EACCES || ai->u.err == E2BIG));
}
/* Does NAME have XATTR? */
@@ -206,13 +211,12 @@
}
}
- /* A security context can exist only if extended attributes do. */
if (flags & ACL_GET_SCONTEXT
&& (0 < ai->size || aclinfo_may_indicate_xattr (ai)))
{
if (is_smack_enabled ())
{
- if (ai->size < 0 || aclinfo_has_xattr (ai, XATTR_NAME_SMACK))
+ if (ai->size <= 0 || aclinfo_has_xattr (ai, XATTR_NAME_SMACK))
{
ssize_t r = smack_new_label_from_path (name, "security.SMACK64",
flags & ACL_SYMLINK_FOLLOW,
@@ -223,7 +227,7 @@
else
{
# if USE_SELINUX_SELINUX_H
- if (ai->size < 0 || aclinfo_has_xattr (ai, XATTR_NAME_SELINUX))
+ if (ai->size <= 0 || aclinfo_has_xattr (ai, XATTR_NAME_SELINUX))
{
ssize_t r =
((flags & ACL_SYMLINK_FOLLOW ? getfilecon : lgetfilecon)
