GNU bug report logs -
#77597
coreutils 9.6: regression in handling security.selinux attribute for ls(1)
Previous Next
Full log
View this message in rfc822 format
Hey,
coreutils 9.6 appears to have a regression in `ls(1)` for SELinux-aware
builds. `ls -Z` fails to obtain the security context for certain
filesystem objects (e.g. `/sys`). Example to reproduce on Gentoo with
refpolicy:
rsandhu <at> graphite ~ $ ls -alZ /run/ | grep '?'
drwxr-xr-x 3 root root ? 60 Apr 5 16:38 credentials
drwxr-xr-x 3 root root ? 80 Apr 2 16:30 initramfs
drwxr-xr-x 2 root root ? 40 Apr 2 16:23 modprobe.d
rsandhu <at> graphite ~ $ getfilecon /run/{credentials,initramfs,modprobe.d}
/run/credentials system_u:object_r:tmpfs_t:s0
/run/initramfs system_u:object_r:tmpfs_t:s0
/run/modprobe.d system_u:object_r:tmpfs_t:s0
Since 432ad8738387f1b2e80e883dc7080df3afabe, coreutils attempts to list
all attributes instead of specifically getting the "security.selinux"
xattr via `getxattr(2)` (which is what libselinux internally calls). As
seen below, the security context xattr only shows when specifically
requesting it by passing the arguments -n 'security.selinux' to the
command line:
rsandhu <at> graphite ~ $ getfattr -d -m '' /run/credentials
<no output>
rsandhu <at> graphite ~ $ getfattr -n 'security.selinux' /run/credentials
getfattr: Removing leading '/' from absolute path names
# file: run/credentials
security.selinux="system_u:object_r:tmpfs_t:s0"
Reverting this commit[1], which no longer handles this case, fixes the
regression.
case.
More information is available in the related post on the SELinux mailing
list[2].
Thanks,
Rahul
[1] https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=4ce432ad8738387f1b2e80e883dc7080df3afabe
[2] https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=iOawX4y77ph0EcfcqcUUj+T87FKyA <at> mail.gmail.com/
This bug report was last modified 20 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.