From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932942AbdC2VfF (ORCPT ); Wed, 29 Mar 2017 17:35:05 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56756 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753049AbdC2Vem (ORCPT ); Wed, 29 Mar 2017 17:34:42 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B008180F90 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=bfields@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B008180F90 Date: Wed, 29 Mar 2017 17:34:40 -0400 From: "J. Bruce Fields" To: Tomeu Vizoso Cc: linux-kernel@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , James Morris , "Serge E. Hallyn" , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org Subject: Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts Message-ID: <20170329213439.GC19617@parsley.fieldses.org> References: <20170329152724.19030-1-tomeu.vizoso@collabora.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170329152724.19030-1-tomeu.vizoso@collabora.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 29 Mar 2017 21:34:41 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP because > the mount point doesn't have SBLABEL_MNT. > > Add specific condition for NFS4 filesystems so it gets correctly > labeled. Huh. Looking at the code, I think this is meant to be handled by the SECURITY_FS_USE_NATIVE case--there was a similar failure fixed some time ago by 9fc2b4b436cf. What kernel are you seeing this on? Is it a recent regression (in which case, what's the latest kernel that worked for you)? --b. > > Signed-off-by: Tomeu Vizoso > Cc: J. Bruce Fields > > --- > > Hi, > > cannot remotely say that I currently understand how selinux is expected > to work within NFS mounts, but this change allowed me to fully boot AOSP > with its rootfs and ramdisk on a single NFS share. > > Thanks, > > Tomeu > --- > security/selinux/hooks.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0c2ac318aa7f..71cd1d8c67c2 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -485,6 +485,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") || > !strcmp(sb->s_type->name, "rootfs") || > + !strcmp(sb->s_type->name, "nfs4") || > (selinux_policycap_cgroupseclabel && > (!strcmp(sb->s_type->name, "cgroup") || > !strcmp(sb->s_type->name, "cgroup2"))); > -- > 2.9.3 > From mboxrd@z Thu Jan 1 00:00:00 1970 From: bfields@redhat.com (J. Bruce Fields) Date: Wed, 29 Mar 2017 17:34:40 -0400 Subject: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts In-Reply-To: <20170329152724.19030-1-tomeu.vizoso@collabora.com> References: <20170329152724.19030-1-tomeu.vizoso@collabora.com> Message-ID: <20170329213439.GC19617@parsley.fieldses.org> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP because > the mount point doesn't have SBLABEL_MNT. > > Add specific condition for NFS4 filesystems so it gets correctly > labeled. Huh. Looking at the code, I think this is meant to be handled by the SECURITY_FS_USE_NATIVE case--there was a similar failure fixed some time ago by 9fc2b4b436cf. What kernel are you seeing this on? Is it a recent regression (in which case, what's the latest kernel that worked for you)? --b. > > Signed-off-by: Tomeu Vizoso > Cc: J. Bruce Fields > > --- > > Hi, > > cannot remotely say that I currently understand how selinux is expected > to work within NFS mounts, but this change allowed me to fully boot AOSP > with its rootfs and ramdisk on a single NFS share. > > Thanks, > > Tomeu > --- > security/selinux/hooks.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0c2ac318aa7f..71cd1d8c67c2 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -485,6 +485,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) > !strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "tracefs") || > !strcmp(sb->s_type->name, "rootfs") || > + !strcmp(sb->s_type->name, "nfs4") || > (selinux_policycap_cgroupseclabel && > (!strcmp(sb->s_type->name, "cgroup") || > !strcmp(sb->s_type->name, "cgroup2"))); > -- > 2.9.3 > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html