From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934303AbdC3Rs1 (ORCPT ); Thu, 30 Mar 2017 13:48:27 -0400 Received: from emsm-gh1-uea10.nsa.gov ([8.44.101.8]:49961 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933891AbdC3RsZ (ORCPT ); Thu, 30 Mar 2017 13:48:25 -0400 X-IronPort-AV: E=Sophos;i="5.36,247,1486425600"; d="scan'208";a="5439441" IronPort-PHdr: =?us-ascii?q?9a23=3AAWOduBFYBsZ/E0kfLMq3gZ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ76ps+zbnLW6fgltlLVR4KTs6sC0LuL9fCxEjVZvd6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?= =?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52LBi6twbcu80ZjYd/N6o8xQbCr2dVde?= =?us-ascii?q?hR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/Y?= =?us-ascii?q?TQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhS?= =?us-ascii?q?EaPDMi7mrZltJ/g75aoBK5phxw3YjUYJ2ONPFjeq/RZM4WSXZdUspUUSFODJm8?= =?us-ascii?q?b48SBOQfO+hWoZT2q18XoRegGQWgAeXiwSJKiHDrx603y+cvHxzG0gI+EdwBsn?= =?us-ascii?q?rUrNLpO6kVXu+7w7LFzSnAYv5MxTvw8pTEfxInrPqRXbxwa83RyUw3Gg3YklWf?= =?us-ascii?q?t5TlPzOL2eQLrmOV8u9gWviri24jtQ5woiWky8A3iobUnYIY0UzE9CVlz4Y1It?= =?us-ascii?q?20Ukh7YcW+H5dKuCGaMJV2T9okTmp1tig6zbgGtoS6fCgM0Jko2RHeZOaCc4iQ?= =?us-ascii?q?5hLsSvydLit/hHJgfr+0mhW88VC4x+HhWcS530xGoypYntXWqHwA2ALf5tKaRv?= =?us-ascii?q?Z740yvwyyA1xrJ5eFBOU00kK3bJIM/zbMojZoTtFjDHjfxmEXrkK+abkUk9fas?= =?us-ascii?q?6+TgerjmuoWTN5V1igHjKaQigNC/AOQkPQgOWGiX4+K826H4/ULlWrlKi/w2kq?= =?us-ascii?q?3BvJDbI8QUuLK5DhdI3oss5BuzFTer3MkCkXUZI19JZgiLg5XxN1HLOv/4DPO/?= =?us-ascii?q?g1q2kDdswvDLJqbhDYjWLnXYjLfgfapy605byAYpy9Bf/IhbBqsOIPL0RE/9rM?= =?us-ascii?q?bYAQMhMwyo3+bnD81w1oEEVmKKHKCZK7nesVuS6uIqJOmMfpUVuDfmK/U+4P7u?= =?us-ascii?q?l2U2lkMZfaa3x5cYdHe4HvF+KUWDfXXsmssBEXsNvgcmSOzqiVuCUSNcZnqrRK?= =?us-ascii?q?Iz+C00CJ+8DYfCWoCsgKWN3CK8HpJLe2BGDk6DHGz2d4WLRfgMcjieIsx/nTwe?= =?us-ascii?q?U7iuVYsh2QuptA/gxLptNvDU9TEAtZL/yNh14PXelRUz9TxyEsSc3HiBT2JqkW?= =?us-ascii?q?MSQT85wqR/rFdjyleMz6d4meZUFd9N6PNTVAc1K5rcw/Z9C9DoVQLLZs2JR0q+?= =?us-ascii?q?QtW6HTExSco8w8MJY0Z4BdqikwrP3zSrA74UkLyLH5s0/7nA0Hj2I8Z9z2zJ27?= =?us-ascii?q?Imj1k8WMRDL3Gphql69wLLHY7Gj12Zl7q2daQbxCPC72mDzWuQs0FcTQFwSr7I?= =?us-ascii?q?XWoBaUTLrdT2/F/CQ6WyBrQgNwsSgfKFf+FoLJXDl0hNSb/NOdnab3n70zO6Cx?= =?us-ascii?q?eFwr+XRJDnd2UUwGPWD01SwC4J+nPTDhQzHiespSrlCTVqEV/+Kxf3/fJWtGKw?= =?us-ascii?q?TkhyyRqDKUJmyezmqVYumfWARqZLjfo/syA7pmAxRQzl0g=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2EXBwAEQ91Y/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgwI?= =?us-ascii?q?pgWyDYpo0AQEBAQEBBoEjk0GEHYYiAoM3VwEBAQEBAQEBAgECaCiCMyIBgj8BA?= =?us-ascii?q?QEBAgEjBAsBRhALDQsCAiYCAlcGE4gDgXsFCK4KgWw6JgKKLAEBAQEGAQEBAQE?= =?us-ascii?q?jgQuEfoU0hEeDE4JfBZxqklCKc4ZESJMlWIEFHAkCFAgeD0GGdSQ1hlmCOwEBA?= =?us-ascii?q?Q?= Message-ID: <1490896334.2099.4.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts From: Stephen Smalley To: "J. Bruce Fields" Cc: Tomeu Vizoso , "linux-kernel@vger.kernel.org" , linux-security-module@vger.kernel.org, James Morris , selinux@tycho.nsa.gov Date: Thu, 30 Mar 2017 13:52:14 -0400 In-Reply-To: <20170330174147.GA11004@parsley.fieldses.org> References: <20170329152724.19030-1-tomeu.vizoso@collabora.com> <20170329213439.GC19617@parsley.fieldses.org> <1490894827.2099.2.camel@tycho.nsa.gov> <20170330174147.GA11004@parsley.fieldses.org> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2017-03-30 at 13:41 -0400, J. Bruce Fields wrote: > On Thu, Mar 30, 2017 at 01:27:07PM -0400, Stephen Smalley wrote: > > On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote: > > > On 29 March 2017 at 23:34, J. Bruce Fields > > > wrote: > > > > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > > > > > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP > > > > > because > > > > > the mount point doesn't have SBLABEL_MNT. > > > > > > > > > > Add specific condition for NFS4 filesystems so it gets > > > > > correctly > > > > > labeled. > > > > > > > > Huh.  Looking at the code, I think this is meant to be handled > > > > by > > > > the > > > > SECURITY_FS_USE_NATIVE case--there was a similar failure fixed > > > > some > > > > time > > > > ago by 9fc2b4b436cf.  What kernel are you seeing this on?  Is > > > > it a > > > > recent regression (in which case, what's the latest kernel that > > > > worked > > > > for you)? > > > > > > I have seen this on 4.11-rc4, but I never tried to get this > > > working > > > before. > > > > > > I will try to find time to see why SECURITY_FS_USE_NATIVE isn't > > > working here. > > > > Does your exports file specify the "security_label" option, e.g. > > /path/to/dir example.com(rw,security_label) > > Oops, right, that should have been the first thing I asked about.... > > > It appears that with recent kernels that is now required; > > otherwise, > > the mount defaults to not enabling native labeling and all of the > > files > > are treated as having a single, fixed label defined by the client > > policy (and hence setxattr is not supported).  This was kernel > > commit > > 32ddd944a056c786f6acdd95ed29e994adc613a2.  I don't recall seeing > > any > > discussion of this on selinux list.  I understand the rationale, > > but it > > seems like a user-visible regression > > It is.  I also want to keep new protocol upgrades free of user > regressions, which the 4.1->4.2 upgrade is in most cases if we turn > on > security labeling by default.  So I was stuck choosing between two > regresisons, and figured 4.2 user depending on security labeling was > still the much rarer case. > > So I'd like to keep security labeling off by default, but if there's > anything I can do to smooth the transition obviously that's good. Yes, I understand - wish though that it could have been communicated better, e.g. on selinux list (unless I just missed it somehow). > > > and at the very least, it seems odd that they didn't just use > > "seclabel" as the kernel does in /proc/mounts to signify a > > filesystem > > that supports security labeling by userspace. > > I see logic in sb_finish_set_opts() that sets SBLABEL_MNT in the > selinux_is_sblabel_mnt() case.  Doesn't that mean "seclabel" shows up > in > /proc/mounts when we nfs sets SECURITY_LSM_NATIVE_LABELS? > > I may not understand your comment, I'm pretty unfamiliar with this > area. Correct, I just meant it seems potentially confusing to users to use "security_label" in exports when we show it as "seclabel" in /proc/mounts. I know, they are totally different namespaces (in the conventional sense), but consistency might have been more user- friendly. From mboxrd@z Thu Jan 1 00:00:00 1970 From: sds@tycho.nsa.gov (Stephen Smalley) Date: Thu, 30 Mar 2017 13:52:14 -0400 Subject: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts In-Reply-To: <20170330174147.GA11004@parsley.fieldses.org> References: <20170329152724.19030-1-tomeu.vizoso@collabora.com> <20170329213439.GC19617@parsley.fieldses.org> <1490894827.2099.2.camel@tycho.nsa.gov> <20170330174147.GA11004@parsley.fieldses.org> Message-ID: <1490896334.2099.4.camel@tycho.nsa.gov> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, 2017-03-30 at 13:41 -0400, J. Bruce Fields wrote: > On Thu, Mar 30, 2017 at 01:27:07PM -0400, Stephen Smalley wrote: > > On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote: > > > On 29 March 2017 at 23:34, J. Bruce Fields > > > wrote: > > > > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > > > > > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP > > > > > because > > > > > the mount point doesn't have SBLABEL_MNT. > > > > > > > > > > Add specific condition for NFS4 filesystems so it gets > > > > > correctly > > > > > labeled. > > > > > > > > Huh.??Looking at the code, I think this is meant to be handled > > > > by > > > > the > > > > SECURITY_FS_USE_NATIVE case--there was a similar failure fixed > > > > some > > > > time > > > > ago by 9fc2b4b436cf.??What kernel are you seeing this on???Is > > > > it a > > > > recent regression (in which case, what's the latest kernel that > > > > worked > > > > for you)? > > > > > > I have seen this on 4.11-rc4, but I never tried to get this > > > working > > > before. > > > > > > I will try to find time to see why SECURITY_FS_USE_NATIVE isn't > > > working here. > > > > Does your exports file specify the "security_label" option, e.g. > > /path/to/dir example.com(rw,security_label) > > Oops, right, that should have been the first thing I asked about.... > > > It appears that with recent kernels that is now required; > > otherwise, > > the mount defaults to not enabling native labeling and all of the > > files > > are treated as having a single, fixed label defined by the client > > policy (and hence setxattr is not supported).??This was kernel > > commit > > 32ddd944a056c786f6acdd95ed29e994adc613a2.??I don't recall seeing > > any > > discussion of this on selinux list.??I understand the rationale, > > but it > > seems like a user-visible regression > > It is.??I also want to keep new protocol upgrades free of user > regressions, which the 4.1->4.2 upgrade is in most cases if we turn > on > security labeling by default.??So I was stuck choosing between two > regresisons, and figured 4.2 user depending on security labeling was > still the much rarer case. > > So I'd like to keep security labeling off by default, but if there's > anything I can do to smooth the transition obviously that's good. Yes, I understand - wish though that it could have been communicated better, e.g. on selinux list (unless I just missed it somehow). > > > and at the very least, it seems odd that they didn't just use > > "seclabel" as the kernel does in /proc/mounts to signify a > > filesystem > > that supports security labeling by userspace. > > I see logic in sb_finish_set_opts() that sets SBLABEL_MNT in the > selinux_is_sblabel_mnt() case.??Doesn't that mean "seclabel" shows up > in > /proc/mounts when we nfs sets SECURITY_LSM_NATIVE_LABELS? > > I may not understand your comment, I'm pretty unfamiliar with this > area. Correct, I just meant it seems potentially confusing to users to use "security_label" in exports when we show it as "seclabel" in /proc/mounts. I know, they are totally different namespaces (in the conventional sense), but consistency might have been more user- friendly. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html