Re: [PATCH] NFS: Ensure security label is set for root inode

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Scott Mayhew <smayhew@redhat.com>
Cc: Richard Haines <richard_c_haines@btinternet.com>,
	trond.myklebust@hammerspace.com, anna.schumaker@netapp.com,
	bfields@fieldses.org, Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	linux-nfs@vger.kernel.org, SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] NFS: Ensure security label is set for root inode
Date: Mon, 9 Mar 2020 09:14:19 -0400	[thread overview]
Message-ID: <CAEjxPJ4MhEOVsZLopVgKNF-E2-OwuL3a-c167ngO68B6uUdqNw@mail.gmail.com> (raw)
In-Reply-To: <20200306220132.GD3175@aion.usersys.redhat.com>

On Fri, Mar 6, 2020 at 5:01 PM Scott Mayhew <smayhew@redhat.com> wrote:
>
> On Wed, 04 Mar 2020, Stephen Smalley wrote:
> > I'm not sure that rootcontext= should be supported or is supportable
> > over labeled NFS.
>
> Should rootcontext= be supported for NFS versions < 4.2?  If not then
> maybe it that option should be rejected for nfs and nfs4 fstypes in
> selinux_set_mnt_opts().

Looks like it gets ignored currently?
$ sudo exportfs -orw,no_root_squash localhost:/home
$ sudo mkdir -p /mnt/selinux-testsuite
$ sudo mount -t nfs -o vers=4.0,rootcontext=system_u:object_r:etc_t:s0
localhost:/home/sds/selinux-testsuite /mnt/selinux-testsuite
$ ls -Zd /mnt/selinux-testsuite
system_u:object_r:nfs_t:s0 /mnt/selinux-testsuite
$ mount | grep testsuite
localhost:/home/sds/selinux-testsuite on /mnt/selinux-testsuite type
nfs4 (rw,relatime,rootcontext=system_u:object_r:etc_t:s0,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=::1,local_lock=none,addr=::1)

I don't think we need to support it, but I don't know if we explicitly
need to test and reject it for nfs/nfs4.

> > It's primary use case is to allow assigning a specific context other
> > than the default policy-defined one
> > to the root directory for filesystems that support labeling but don't
> > have existing labels on their root
> > directories, e.g. tmpfs mounts.  Even if we set the rootcontext based
> > on rootcontext= during mount(2),
> > it would likely get overridden by subsequent attribute fetches from
> > the server I would think (e.g. it probably
> > already switches to the context from the server after 30 seconds or
>
> Yes, that's what happens.  If we wanted to retain that behavior moving
> forward, then we need to avoid calling nfs_setsecurity() for the root
> inode when the rootcontext= option was used.  To do that, I think we'd
> need to add a flag that could be passed back to NFS via the
> set_kern_flags parameter of selinux_set_mnt_opts().

Doesn't seem justified.

> > so?). As long as the separate context= option
> > continues to work correctly on NFS, I'm not overly concerned about this.
>
> Yep, the context= option still works.

Great, then I have no objections to this patch.