linux/security/selinux/ss
Eric Paris 811f379927 SELinux: allow fstype unknown to policy to use xattrs if present
Currently if a FS is mounted for which SELinux policy does not define an
fs_use_* that FS will either be genfs labeled or not labeled at all.
This decision is based on the existence of a genfscon rule in policy and
is irrespective of the capabilities of the filesystem itself.  This
patch allows the kernel to check if the filesystem supports security
xattrs and if so will use those if there is no fs_use_* rule in policy.
An fstype with a no fs_use_* rule but with a genfs rule will use xattrs
if available and will follow the genfs rule.

This can be particularly interesting for things like ecryptfs which
actually overlays a real underlying FS.  If we define excryptfs in
policy to use xattrs we will likely get this wrong at times, so with
this path we just don't need to define it!

Overlay ecryptfs on top of NFS with no xattr support:
SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts
Overlay ecryptfs on top of ext4 with xattr support:
SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr

It is also useful as the kernel adds new FS we don't need to add them in
policy if they support xattrs and that is how we want to handle them.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2008-07-14 15:02:04 +10:00
..
Makefile Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
avtab.c SELinux: keep the code clean formating and syntax 2008-07-14 15:01:36 +10:00
avtab.h SELinux: add more validity checks on policy load 2007-11-08 08:56:23 +11:00
conditional.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6 2008-04-21 16:01:40 -07:00
conditional.h SELinux: ss/conditional.h whitespace, syntax, and other cleanups 2008-04-28 09:29:02 +10:00
constraint.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
context.h selinux: support deferred mapping of contexts 2008-07-14 15:01:34 +10:00
ebitmap.c SELinux: ebitmap.c whitespace, syntax, and static declaraction cleanups 2008-04-21 19:07:32 +10:00
ebitmap.h SELinux: kills warnings in Improve SELinux performance when AVC misses 2007-10-17 08:59:36 +10:00
hashtab.c SELinux: hashtab.c whitespace, syntax, and static declaraction cleanups 2008-04-21 19:07:32 +10:00
hashtab.h SELinux: hashtab.h whitespace, syntax, and other cleanups 2008-04-28 09:29:04 +10:00
mls.c SELinux: keep the code clean formating and syntax 2008-07-14 15:01:36 +10:00
mls.h selinux: support deferred mapping of contexts 2008-07-14 15:01:34 +10:00
mls_types.h SELinux: mls_types.h whitespace, syntax, and other cleanups 2008-04-28 09:29:06 +10:00
policydb.c selinux: fix endianness bug in network node address handling 2008-07-14 15:01:54 +10:00
policydb.h SELinux: policydb.h whitespace, syntax, and other cleanups 2008-04-28 09:29:07 +10:00
services.c SELinux: allow fstype unknown to policy to use xattrs if present 2008-07-14 15:02:04 +10:00
services.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sidtab.c SELinux: open code sidtab lock 2008-07-14 15:01:57 +10:00
sidtab.h selinux: support deferred mapping of contexts 2008-07-14 15:01:34 +10:00
symtab.c SELinux: ensure keys constant in hashtab_search 2006-11-28 12:04:37 -05:00
symtab.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00