1 files changed, 19 insertions, 8 deletions

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b52f923ce680..8e42da120101 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1934,7 +1934,8 @@ out:
 int security_fs_use(
         const char *fstype,
         unsigned int *behavior,
-        u32 *sid)
+        u32 *sid,
+        bool can_xattr)
 {
         int rc = 0;
         struct ocontext *c;
@@ -1948,6 +1949,7 @@ int security_fs_use(
                 c = c->next;
         }
 
+        /* look for labeling behavior defined in policy */
         if (c) {
                 *behavior = c->v.behavior;
                 if (!c->sid[0]) {
@@ -1958,14 +1960,23 @@ int security_fs_use(
                                 goto out;
                 }
                 *sid = c->sid[0];
+                goto out;
+        }
+
+        /* labeling behavior not in policy, use xattrs if possible */
+        if (can_xattr) {
+                *behavior = SECURITY_FS_USE_XATTR;
+                *sid = SECINITSID_FS;
+                goto out;
+        }
+
+        /* no behavior in policy and can't use xattrs, try GENFS */
+        rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
+        if (rc) {
+                *behavior = SECURITY_FS_USE_NONE;
+                rc = 0;
         } else {
-                rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
-                if (rc) {
-                        *behavior = SECURITY_FS_USE_NONE;
-                        rc = 0;
-                } else {
-                        *behavior = SECURITY_FS_USE_GENFS;
-                }
+                *behavior = SECURITY_FS_USE_GENFS;
         }
 
 out: