Skip to content

Invalidate selinux security label during inode invalidation.#145

Merged
hbirth merged 1 commit intoDDNStorage:redfs-ubuntu-noble-6.8.0-58.60from
kchen-ddn:selinux_label_inval_new
Apr 23, 2026
Merged

Invalidate selinux security label during inode invalidation.#145
hbirth merged 1 commit intoDDNStorage:redfs-ubuntu-noble-6.8.0-58.60from
kchen-ddn:selinux_label_inval_new

Conversation

@kchen-ddn
Copy link
Copy Markdown

@kchen-ddn kchen-ddn commented Apr 21, 2026

Setting SELinux security label on one client node should invalidate cached security label on other nodes.
Add security_inode_invalidate_secctx() in fuse_reverse_inval_inode() to do so.

@kchen-ddn
Copy link
Copy Markdown
Author

kchen-ddn commented Apr 21, 2026

@yongzech @bsbernd @hbirth Please help to review.

@hbirth
Copy link
Copy Markdown
Collaborator

hbirth commented Apr 21, 2026

could you add a bit more detail in the commit message?

@bsbernd
Copy link
Copy Markdown
Collaborator

bsbernd commented Apr 21, 2026

@kchen-ddn Could you submit to upstream linux?

@kchen-ddn
Invalidate selinux security label during inode invalidation.
44061e6 
Add security_inode_invalidate_secctx() call to invalidate cached
security context when inode attributes change. This ensures that
SELinux security labels are properly refreshed and prevents stale
security context from being used after inode modifications.

Signed-off-by: Kevin Chen <kchen@ddn.com>
@kchen-ddn kchen-ddn force-pushed the selinux_label_inval_new branch from 46407a5 to 44061e6 Compare April 22, 2026 01:48
@kchen-ddn
Copy link
Copy Markdown
Author

kchen-ddn commented Apr 22, 2026

could you add a bit more detail in the commit message?

Done.

@kchen-ddn
Copy link
Copy Markdown
Author

kchen-ddn commented Apr 22, 2026

@kchen-ddn Could you submit to upstream linux?

Sure, I'll create a PR.

@hbirth
Copy link
Copy Markdown
Collaborator

hbirth commented Apr 22, 2026
edited
Loading

@bsbernd @kchen-ddn what other linux versions will need this? I'm not entirely sure this will actually work for RHEL9_4 etc.

@kchen-ddn
Copy link
Copy Markdown
Author

kchen-ddn commented Apr 23, 2026

@bsbernd @kchen-ddn what other linux versions will need this? I'm not entirely sure this will actually work for RHEL9_4 etc.

Sorry, why is that? This security_inode_invalidate_secctx() is introduced in kernel version 4.5, so I think RHEL9_4 should also have it.

@hbirth
Copy link
Copy Markdown
Collaborator

hbirth commented Apr 23, 2026

@bsbernd @kchen-ddn what other linux versions will need this? I'm not entirely sure this will actually work for RHEL9_4 etc.

Sorry, why is that? This security_inode_invalidate_secctx() is introduced in kernel version 4.5, so I think RHEL9_4 should also have it.

I was worried about semantics, but if you checked, we're fine.

@hbirth hbirth merged commit 6c9ec1d into DDNStorage:redfs-ubuntu-noble-6.8.0-58.60 Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hbirth hbirth hbirth approved these changes

@bsbernd bsbernd Awaiting requested review from bsbernd

@yongzech yongzech Awaiting requested review from yongzech

@cding-ddn cding-ddn Awaiting requested review from cding-ddn

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kchen-ddn @hbirth @bsbernd