GNU bug report logs - #77597
coreutils 9.6: regression in handling security.selinux attribute for ls(1)

Previous Next

Full log

View this message in rfc822 format

From: Pádraig Brady <P <at> draigBrady.com>
To: Paul Eggert <eggert <at> cs.ucla.edu>, Rahul Sandhu <nvraxn <at> gmail.com>
Cc: 77597 <at> debbugs.gnu.org
Subject: bug#77597: coreutils 9.6: regression in handling security.selinux attribute for ls(1)
Date: Mon, 7 Apr 2025 23:52:17 +0100

On 07/04/2025 23:10, Paul Eggert wrote:
> On 4/5/25 18:49, Rahul Sandhu wrote:
> 
>> the security context xattr only shows when specifically
>> requesting it by passing the arguments -n 'security.selinux' to the
>> command line:
>> rsandhu <at> graphite ~ $ getfattr -d -m '' /run/credentials
>> <no output>
>> rsandhu <at> graphite ~ $ getfattr -n 'security.selinux' /run/credentials
>> getfattr: Removing leading '/' from absolute path names
>> # file: run/credentials
>> security.selinux="system_u:object_r:tmpfs_t:s0"
> 
> I don't observe the problem on my Fedora 41 platform. What happens when
> you run this command?
> 
> strace -o tr getfattr -d -m '' /run/credentials
> 
> On Fedora, 'tr' ends like this:
> 
> ...
> newfstatat(AT_FDCWD, "/run/credentials", {st_mode=S_IFDIR|0755,
> st_size=200, ...}, AT_SYMLINK_NOFOLLOW) = 0
> listxattr("/run/credentials", NULL, 0)  = 17
> listxattr("/run/credentials", "security.selinux\0", 256) = 17
> getxattr("/run/credentials", "security.selinux", NULL, 0) = 31
> getxattr("/run/credentials", "security.selinux",
> "system_u:object_r:var_run_t:s0", 256) = 31
> write(2, "getfattr: Removing leading '/' f"..., 56) = 56
> ...
> 
> which means listxattr is operating correctly. What does listxattr do on
> your platform?

I get the same for /run/credentials on Fedora 41 (6.13.6-200.fc41.x86_64) here,
but I do repro the issue with /run/initramfs.

  $ strace --trace=/.*xattr.* getfattr -d -m '' /run/initramfs
  listxattr("/run/initramfs", NULL, 0)    = 0

  $ strace --trace=/.*xattr.* getfattr -n 'security.selinux' /run/initramfs
  getxattr("/run/initramfs", "security.selinux", NULL, 0) = 29
  getxattr("/run/initramfs", "security.selinux", "system_u:object_r:tmpfs_t:s0", 256) = 29
  getfattr: Removing leading '/' from absolute path names
  # file: run/initramfs
  security.selinux="system_u:object_r:tmpfs_t:s0"


> If listxattr is returning 0, that would seem to be a bug in listxattr,
> and perhaps we can figure out which platforms have the bug and work
> around it. For example, perhaps we could run 'listxattr("/run", NULL,
> 0)' and use a (slower) workaround only if that returns 0. The idea is to
> do the workaround only on the affected platforms.

Unfortunately that won't work.

  $ strace --trace=/.*xattr.* getfattr -d -m '' /run/
  listxattr("/run/", NULL, 0)             = 17

I'm not sure how we could distinguish this case.

  $ stat /run/initramfs
    File: /run/initramfs
  Size: 60        	Blocks: 0          IO Block: 4096   directory
  Device: 0,26	Inode: 20          Links: 3
  Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
  Context: system_u:object_r:tmpfs_t:s0

  $ stat /run
    File: /run
    Size: 1600      	Blocks: 0          IO Block: 4096   directory
  Device: 0,26	Inode: 1           Links: 58
  Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
  Context: system_u:object_r:var_run_t:s0

Note /run/initramfs is the only problematic entry for me,
and that's the only entry with "tmpfs_t" in the context.

As for efficiency, on SELinux systems listxattr() would generally never return 0,
but yes on others we'd we doing an extra getxattr().
So maybe we class this as a kernel bug and have the kernel
return non 0 for this case, or even ENOTSUP.

cheers,
Pádraig

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.