From: Scott Mayhew <smayhew@redhat.com>
To: selinux@tycho.nsa.gov, linux-nfs@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
Trond Myklebust <trondmy@primarydata.com>,
"J . Bruce Fields" <bfields@fieldses.org>
Subject: [PATCH RFC 1/2] selinux: allow SECURITY_LSM_NATIVE_LABELS to be set on an already initialized superblock
Date: Thu, 25 May 2017 17:07:53 -0400 [thread overview]
Message-ID: <20170525210754.24265-2-smayhew@redhat.com> (raw)
In-Reply-To: <20170525210754.24265-1-smayhew@redhat.com>
When an NFSv4 client performs a mount operation, it first mounts the
NFSv4 root and then does path walk to the exported path and performs a
submount on that, cloning the security mount options from the root's
superblock to the submount's superblock in the process.
Unless the NFS server has an explicit fsid=0 export with the
"security_label" option, the NFSv4 root superblock will not have
SBLABEL_MNT set, and neither will the submount superblock after cloning
the security mount options. As a result, setxattr's of security labels
over NFSv4.2 will fail.
Allowing the NFSv4 client to override the SECURITY_LSM_NATIVE_LABELS
flag on an initialized superblock will ensure that SBLABEL_MNT is set
when the client traverses from an exported path without the
"security_label" option to one with the "security_label" option.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
security/selinux/hooks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e67a526..366ab86 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -730,7 +730,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
* will be used for both mounts)
*/
if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
- && (num_opts == 0))
+ && (num_opts == 0) && !(kern_flags & SECURITY_LSM_NATIVE_LABELS))
goto out;
root_isec = backing_inode_security_novalidate(root);
@@ -797,7 +797,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
}
}
- if (sbsec->flags & SE_SBINITIALIZED) {
+ if (sbsec->flags & SE_SBINITIALIZED && !(kern_flags & SECURITY_LSM_NATIVE_LABELS)) {
/* previously mounted with options, but not on this attempt? */
if ((sbsec->flags & SE_MNTMASK) && !num_opts)
goto out_double_mount;
--
2.9.3
next prev parent reply other threads:[~2017-05-25 21:07 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 15:27 [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts Tomeu Vizoso
2017-03-29 15:27 ` Tomeu Vizoso
2017-03-29 21:34 ` J. Bruce Fields
2017-03-29 21:34 ` J. Bruce Fields
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 17:27 ` Stephen Smalley
2017-03-30 17:27 ` Stephen Smalley
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:52 ` Stephen Smalley
2017-03-30 17:52 ` Stephen Smalley
2017-04-04 23:26 ` J. Bruce Fields
2017-04-04 23:26 ` J. Bruce Fields
2017-05-25 21:07 ` [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2 Scott Mayhew
2017-05-25 21:07 ` Scott Mayhew [this message]
2017-05-25 21:07 ` [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting Scott Mayhew
2017-05-26 14:24 ` Stephen Smalley
2017-05-26 15:28 ` Scott Mayhew
2017-05-26 15:42 ` Stephen Smalley
2017-06-01 14:46 ` [PATCH] security/selinux: allow security_sb_clone_mnt_opts to enable/disable native labeling behavior Scott Mayhew
2017-06-01 14:55 ` Scott Mayhew
2017-06-01 18:08 ` Stephen Smalley
2017-06-01 18:48 ` Stephen Smalley
2017-06-01 19:40 ` Scott Mayhew
2017-06-01 18:30 ` Stephen Smalley
2017-06-01 19:42 ` Scott Mayhew
2017-06-01 20:59 ` [PATCH v2] " Scott Mayhew
2017-06-02 12:55 ` Stephen Smalley
2017-06-02 13:09 ` Scott Mayhew
2017-06-05 15:45 ` [PATCH v3] " Scott Mayhew
2017-06-05 15:55 ` Scott Mayhew
2017-06-05 19:53 ` Stephen Smalley
2017-06-05 21:21 ` Paul Moore
2017-06-06 0:46 ` J . Bruce Fields
2017-06-09 20:24 ` Paul Moore
2017-05-30 14:38 ` [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting Stephen Smalley
2017-05-30 19:40 ` J . Bruce Fields
2017-05-30 19:52 ` Stephen Smalley
2017-05-26 14:48 ` [PATCH RFC 0/2] Fix setting of security labels over NFSv4.2 Stephen Smalley
2017-05-26 15:17 ` J . Bruce Fields
2017-05-26 15:18 ` J . Bruce Fields
2017-05-26 15:30 ` Scott Mayhew
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170525210754.24265-2-smayhew@redhat.com \
--to=smayhew@redhat.com \
--cc=bfields@fieldses.org \
--cc=eparis@parisplace.org \
--cc=linux-nfs@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trondmy@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.