From: Stephen Smalley <sds@tycho.nsa.gov>
To: Scott Mayhew <smayhew@redhat.com>,
selinux@tycho.nsa.gov, linux-nfs@vger.kernel.org
Cc: "J . Bruce Fields" <bfields@fieldses.org>,
Trond Myklebust <trondmy@primarydata.com>
Subject: Re: [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2
Date: Fri, 26 May 2017 10:48:17 -0400 [thread overview]
Message-ID: <1495810097.12091.14.camel@tycho.nsa.gov> (raw)
In-Reply-To: <20170525210754.24265-1-smayhew@redhat.com>
On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> Red Hat QE reported that chcon fails over NFSv4.2 on recent kernels.
> The problem is related to how filesystems are mounted in NFSv4.
What kernel version and what is a reproducer for the problem? I don't
seem to see it on e.g. Fedora 25 with 4.10, unless I misunderstand.
>
> When an NFSv4 client performs a mount operation, it first mounts the
> NFSv4 root and then does path walk to the exported path and performs
> a
> submount on that, cloning the security mount options from the root's
> superblock to the submount's superblock in the process.
>
> Unless the NFS server has an explicit fsid=0 export with the
> "security_label" option, the NFSv4 root superblock will not have
> SBLABEL_MNT set, and neither will the submount superblock after
> cloning
> the security mount options. As a result, setxattr's of security
> labels
> over NFSv4.2 will fail.
>
> NFS servers with a modern nfs-utils package will automatically create
> a
> pseudo fs to fill in the gaps (including the root itself) leading up
> to
> the actual export, so it is uncommon these days for an NFS server to
> have an explicit fsid=0 export.
>
> Allowing the NFSv4 client to override the SECURITY_LSM_NATIVE_LABELS
> flag on an initialized superblock would ensure that SBLABEL_MNT is
> set
> when the client traverses from an exported path without the
> "security_label" option to one with the "security_label" option.
>
> Scott Mayhew (2):
> selinux: allow SECURITY_LSM_NATIVE_LABELS to be set on an already
> initialized superblock
> nfs: update labeling behavior on a superblock when submounting
>
> fs/nfs/super.c | 23 ++++++++++++++++++++++-
> security/selinux/hooks.c | 4 ++--
> 2 files changed, 24 insertions(+), 3 deletions(-)
>
next prev parent reply other threads:[~2017-05-26 14:48 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 15:27 [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts Tomeu Vizoso
2017-03-29 15:27 ` Tomeu Vizoso
2017-03-29 21:34 ` J. Bruce Fields
2017-03-29 21:34 ` J. Bruce Fields
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 17:27 ` Stephen Smalley
2017-03-30 17:27 ` Stephen Smalley
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:52 ` Stephen Smalley
2017-03-30 17:52 ` Stephen Smalley
2017-04-04 23:26 ` J. Bruce Fields
2017-04-04 23:26 ` J. Bruce Fields
2017-05-25 21:07 ` [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2 Scott Mayhew
2017-05-25 21:07 ` [PATCH RFC 1/2] selinux: allow SECURITY_LSM_NATIVE_LABELS to be set on an already initialized superblock Scott Mayhew
2017-05-25 21:07 ` [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting Scott Mayhew
2017-05-26 14:24 ` Stephen Smalley
2017-05-26 15:28 ` Scott Mayhew
2017-05-26 15:42 ` Stephen Smalley
2017-06-01 14:46 ` [PATCH] security/selinux: allow security_sb_clone_mnt_opts to enable/disable native labeling behavior Scott Mayhew
2017-06-01 14:55 ` Scott Mayhew
2017-06-01 18:08 ` Stephen Smalley
2017-06-01 18:48 ` Stephen Smalley
2017-06-01 19:40 ` Scott Mayhew
2017-06-01 18:30 ` Stephen Smalley
2017-06-01 19:42 ` Scott Mayhew
2017-06-01 20:59 ` [PATCH v2] " Scott Mayhew
2017-06-02 12:55 ` Stephen Smalley
2017-06-02 13:09 ` Scott Mayhew
2017-06-05 15:45 ` [PATCH v3] " Scott Mayhew
2017-06-05 15:55 ` Scott Mayhew
2017-06-05 19:53 ` Stephen Smalley
2017-06-05 21:21 ` Paul Moore
2017-06-06 0:46 ` J . Bruce Fields
2017-06-09 20:24 ` Paul Moore
2017-05-30 14:38 ` [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting Stephen Smalley
2017-05-30 19:40 ` J . Bruce Fields
2017-05-30 19:52 ` Stephen Smalley
2017-05-26 14:48 ` Stephen Smalley [this message]
2017-05-26 15:17 ` [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2 J . Bruce Fields
2017-05-26 15:18 ` J . Bruce Fields
2017-05-26 15:30 ` Scott Mayhew
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495810097.12091.14.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=smayhew@redhat.com \
--cc=trondmy@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.