lomac_vnode_associate_extattr() and lomac_vnode_setlabel_extattr() only copy part of the LOMAC label, ignoring the value of the auxiliary grade.
Note that lomac_vnode_create_extattr(), the third function to access the file extended attributes, does already copy the auxiliary grade if it is present.
The problem has been reported for 9.1-RELEASE but it has been confirmed to be present in stable/9. The same problem is likely to be present in head (-CURRENT) as the relevant code has not been modified.
Fix: Apply the patch. Tested with GENERIC kernel on 9.1-RELEASE and stable/9.
Patch attached with submission follows:
How-To-Repeat: 1. enable mac_lomac policy in kernel
2. create a multilabel filesystem (newfs -l -U /dev/somedev)
3. mount the filesystem and set lomac labels
mount /dev/somedev /mnt
setfmac lomac/high\[low\] /mnt/1 # aux grade
touch /mnt/1/2 # inherits grade from directory
setfmac lomac/high\[low\] /mnt/1/3 # set manually
4. use getextattr -x system mac_lomac /mnt/1 /mnt/1/2 /mnt/1/3
(only the file that inherited the grade has aux grade in extattr)
5. note the labels ls -lZa /mnt/1
6. umount /mnt; mount /dev/somedev /mnt
7. note the aux grades are missing with ls -lZa /mnt/1
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped