3 files changed, 37 insertions, 14 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4130d64359a3..85f74f665765 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -556,13 +556,15 @@ static int selinux_set_mnt_opts(struct super_block *sb,
         struct task_security_struct *tsec = current->security;
         struct superblock_security_struct *sbsec = sb->s_security;
         const char *name = sb->s_type->name;
-        struct inode *inode = sbsec->sb->s_root->d_inode;
-        struct inode_security_struct *root_isec = inode->i_security;
+        struct dentry *root = sb->s_root;
+        struct inode *root_inode = root->d_inode;
+        struct inode_security_struct *root_isec = root_inode->i_security;
         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
         u32 defcontext_sid = 0;
         char **mount_options = opts->mnt_opts;
         int *flags = opts->mnt_opts_flags;
         int num_opts = opts->num_mnt_opts;
+        bool can_xattr = false;
 
         mutex_lock(&sbsec->lock);
 
@@ -666,14 +668,24 @@ static int selinux_set_mnt_opts(struct super_block *sb,
                 goto out;
         }
 
-        if (strcmp(sb->s_type->name, "proc") == 0)
+        if (strcmp(name, "proc") == 0)
                 sbsec->proc = 1;
 
+        /*
+         * test if the fs supports xattrs, fs_use might make use of this if the
+         * fs has no definition in policy.
+         */
+        if (root_inode->i_op->getxattr) {
+                rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
+                if (rc >= 0 || rc == -ENODATA)
+                        can_xattr = true;
+        }
+
         /* Determine the labeling behavior to use for this filesystem type. */
-        rc = security_fs_use(sb->s_type->name, &sbsec->behavior, &sbsec->sid);
+        rc = security_fs_use(name, &sbsec->behavior, &sbsec->sid, can_xattr);
         if (rc) {
                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
-                       __func__, sb->s_type->name, rc);
+                       __func__, name, rc);
                 goto out;
         }
 
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 7c543003d653..44cba2e21dcf 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -136,7 +136,7 @@ int security_get_allow_unknown(void);
 #define SECURITY_FS_USE_MNTPOINT        6 /* use mountpoint labeling */
 
 int security_fs_use(const char *fstype, unsigned int *behavior,
-        u32 *sid);
+        u32 *sid, bool can_xattr);
 
 int security_genfs_sid(const char *fstype, char *name, u16 sclass,
         u32 *sid);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b52f923ce680..8e42da120101 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1934,7 +1934,8 @@ out:
 int security_fs_use(
         const char *fstype,
         unsigned int *behavior,
-        u32 *sid)
+        u32 *sid,
+        bool can_xattr)
 {
         int rc = 0;
         struct ocontext *c;
@@ -1948,6 +1949,7 @@ int security_fs_use(
                 c = c->next;
         }
 
+        /* look for labeling behavior defined in policy */
         if (c) {
                 *behavior = c->v.behavior;
                 if (!c->sid[0]) {
@@ -1958,14 +1960,23 @@ int security_fs_use(
                                 goto out;
                 }
                 *sid = c->sid[0];
+                goto out;
+        }
+
+        /* labeling behavior not in policy, use xattrs if possible */
+        if (can_xattr) {
+                *behavior = SECURITY_FS_USE_XATTR;
+                *sid = SECINITSID_FS;
+                goto out;
+        }
+
+        /* no behavior in policy and can't use xattrs, try GENFS */
+        rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
+        if (rc) {
+                *behavior = SECURITY_FS_USE_NONE;
+                rc = 0;
         } else {
-                rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, sid);
-                if (rc) {
-                        *behavior = SECURITY_FS_USE_NONE;
-                        rc = 0;
-                } else {
-                        *behavior = SECURITY_FS_USE_GENFS;
-                }
+                *behavior = SECURITY_FS_USE_GENFS;
         }
 
 out: