SELinux labels not defined

David Michael fedora.dm0 at gmail.com
Mon Oct 4 11:31:18 AEDT 2021 

On Sun, Oct 3, 2021 at 12:38 AM Gao Xiang <xiang at kernel.org> wrote:
> Hi David,
>
> On Sat, Oct 02, 2021 at 06:50:55PM -0400, David Michael wrote:
> > Hi,
> >
> > I tried to make an SELinux-labeled EROFS image, and the image itself
> > seems to contain the labels from a hex dump, but the mounted files are
> > all unlabeled:
> >
> > # ls -lZ xml
> > total 8
> > drwxr-xr-x. 2 root root unconfined_u:object_r:var_t:s0         4096 Sep 29 21:43 dbus-1
> > drwxr-xr-x. 2 root root unconfined_u:object_r:fonts_cache_t:s0 4096 Sep 29 22:19 fontconfig
> > # mkfs.erofs test.img xml
> > mkfs.erofs 1.3-g4e183568-dirty
> >       c_version:           [1.3-g4e183568-dirty]
> >       c_dbg_lvl:           [       2]
> >       c_dry_run:           [       0]
> > # mount -o X-mount.mkdir test.img test
> > # ls -lZ test
> > total 8
> > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 78 Oct  2 18:37 dbus-1
> > drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 48 Oct  2 18:37 fontconfig
> >
> > This is running on the current Fedora kernel 5.14.9-200.fc34.x86_64 with
> > the relevant config options:
> >
> > CONFIG_EROFS_FS=m
> > # CONFIG_EROFS_FS_DEBUG is not set
> > CONFIG_EROFS_FS_XATTR=y
> > CONFIG_EROFS_FS_POSIX_ACL=y
> > CONFIG_EROFS_FS_SECURITY=y
> > CONFIG_EROFS_FS_ZIP=y
> >
> > I tried the earliest kernel in Fedora 34 (5.11.12-300.fc34.x86_64), and
> > it also has the same issue.  However, the earliest kernel in Fedora 33
> > (5.8.15-301.fc33.x86_64) has the correct labels when the image is
> > mounted.  Is there a problem in the file system driver, or do I need to
> > do something different for newer kernels?
>
> Thanks for your report!
>
> I don't think there is any difference between 5.8 - 5.14 on EROFS selinux
> xattrs. And AFAIK some users already use EROFS selinux on Linux 5.10.
>
> Would you mind checking if Fedora kernels did something new for EROFS or
> something else on fc34? Can you check if the images work on upstream
> kernels?

The labels failed in the same way on every distro I tried: Fedora,
openSUSE (5.14.6-1.4.x86_64), Ubuntu (5.11.0-37-generic), and Gentoo
(5.14.8-gentoo-dist-hardened and 5.10.68-gentoo-dist-hardened).

I noticed that the labels appear correctly when the system is running
with SELinux disabled, but booting with it enabled results in
unlabeled_t labels on erofs mounts.

Thanks.

David

More information about the Linux-erofs mailing list