)]}'
{
  "commit": "cec5fe700799b3f863d25cf883f02e5735598ab5",
  "tree": "263e3aed672035884d71957124e62ed1e9abbc9d",
  "parents": [
    "29cd55fe69e37722c797504cffeb9f9e13df1faf"
  ],
  "author": {
    "name": "Ondrej Mosnacek",
    "email": "omosnace@redhat.com",
    "time": "Mon May 29 16:05:27 2023 +0200"
  },
  "committer": {
    "name": "Paul Moore",
    "email": "paul@paul-moore.com",
    "time": "Tue May 30 17:44:34 2023 -0400"
  },
  "message": "selinux: make labeled NFS work when mounted before policy load\n\nCurrently, when an NFS filesystem that supports passing LSM/SELinux\nlabels is mounted during early boot (before the SELinux policy is\nloaded), it ends up mounted without the labeling support (i.e. with\nFedora policy all files get the generic NFS label\nsystem_u:object_r:nfs_t:s0).\n\nThis is because the information that the NFS mount supports passing\nlabels (communicated to the LSM layer via the kern_flags argument of\nsecurity_set_mnt_opts()) gets lost and when the policy is loaded the\nmount is initialized as if the passing is not supported.\n\nFix this by noting the \"native labeling\" in newsbsec-\u003eflags (using a new\nSE_SBNATIVE flag) on the pre-policy-loaded call of\nselinux_set_mnt_opts() and then making sure it is respected on the\nsecond call from delayed_superblock_init().\n\nAdditionally, make inode_doinit_with_dentry() initialize the inode\u0027s\nlabel from its extended attributes whenever it doesn\u0027t find it already\nintitialized by the filesystem. This is needed to properly initialize\npre-existing inodes when delayed_superblock_init() is called. It should\nnot trigger in any other cases (and if it does, it\u0027s still better to\ninitialize the correct label instead of leaving the inode unlabeled).\n\nFixes: eb9ae686507b (\"SELinux: Add new labeling type native labels\")\nTested-by: Scott Mayhew \u003csmayhew@redhat.com\u003e\nSigned-off-by: Ondrej Mosnacek \u003comosnace@redhat.com\u003e\n[PM: fixed \u0027Fixes\u0027 tag format]\nSigned-off-by: Paul Moore \u003cpaul@paul-moore.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "03660e551094cec54997a2a1ec5340aff4521265",
      "old_mode": 33188,
      "old_path": "security/selinux/hooks.c",
      "new_id": "d06e350fedee5f7936ce0e9bd33c8befd771f886",
      "new_mode": 33188,
      "new_path": "security/selinux/hooks.c"
    },
    {
      "type": "modify",
      "old_id": "815838ba7f2a76334918d488de533ca7b7e85374",
      "old_mode": 33188,
      "old_path": "security/selinux/include/security.h",
      "new_id": "3b605f39e0401a32619d6c848672c3e5211208ca",
      "new_mode": 33188,
      "new_path": "security/selinux/include/security.h"
    }
  ]
}