[LSM Stacking] new files fail to inherit SELinux security context of the current directory
Casey Schaufler
casey at schaufler-ca.com
Mon Jul 3 14:53:05 UTC 2023
On 7/2/2023 7:06 PM, Leesoo Ahn wrote:
> Test env
> - Ubuntu 23.04 Ubuntu Kernel v6.2 w/ Stacking patch v38
> - boot param: lsm=apparmor,selinux
> - AppArmor (Host) + SELinux (Container Fedora 36)
>
> Hello! I'm currently working on a project related to LSM Stacking, and
> a few days ago, I encountered a significant issue of SELinux in the
> container environment.
>
> When creating new files in the container using 'mkdir' and 'touch',
> the new files fail to inherit the security context of the current
> directory. This problem occurs by the following reason that
> 'security_inode_init_security' hook is called, which sequentially
> calls 'apparmor_inode_init_security' and 'selinux_inode_init_security'
> in order. 'apparmor_inode_init_security' always returns -EOPNOTSUPP,
> hence 'selinux_inode_init_security' is never called.
>
> Does 'return 0' in 'apparmor_inode_init_security' to call stacking
> hooks sequentially have no side-effects? if so, the solution would be
> easy though.
The correct fix is to security_inode_init_security(), not
apparmor_inode_init_security(). The upstream Linus kernel
does not have a hook in apparmor, so this problem wasn't
detected there. I'll be sure to get this into v39.
>
> Best regards,
> Leesoo
More information about the Linux-security-module-archive
mailing list