[LSM Stacking] new files fail to inherit SELinux security context of the current directory
Leesoo Ahn
lsahn at wewakecorp.com
Mon Jul 3 02:06:00 UTC 2023
Test env
- Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
- boot param: lsm=apparmor,selinux
- AppArmor (Host) + SELinux (Container Fedora 36)
Hello! I'm currently working on a project related to LSM Stacking, and a
few days ago, I encountered a significant issue of SELinux in the
container environment.
When creating new files in the container using 'mkdir' and 'touch', the
new files fail to inherit the security context of the current directory.
This problem occurs by the following reason that
'security_inode_init_security' hook is called, which sequentially calls
'apparmor_inode_init_security' and 'selinux_inode_init_security' in
order. 'apparmor_inode_init_security' always returns -EOPNOTSUPP, hence
'selinux_inode_init_security' is never called.
Does 'return 0' in 'apparmor_inode_init_security' to call stacking hooks
sequentially have no side-effects? if so, the solution would be easy though.
Best regards,
Leesoo
More information about the Linux-security-module-archive
mailing list