From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>, Paul Moore <paul@paul-moore.com>
Subject: Re: Possibly unwanted rootcontext= behavior?
Date: Thu, 5 Nov 2020 08:51:18 -0500 [thread overview]
Message-ID: <CAEjxPJ7cwBpLGoTmzGOUJFq5QuFCHG+xydiGYAtk2hV0d8ww3g@mail.gmail.com> (raw)
In-Reply-To: <CAFqZXNvT=G4HPiugi6vnnJMGLgv5MsumURQij0cnFjLrnXZ93Q@mail.gmail.com>
On Thu, Nov 5, 2020 at 7:44 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Hello everyone,
>
> while trying to fix the NFS rootcontext= issue, I realized that this
> funny thing is possible:
>
> # mount -o rootcontext=system_u:object_r:lib_t:s0 -t tmpfs tmpfs /mnt
> # ls -lZd /mnt
> drwxrwxrwt. 2 root root system_u:object_r:lib_t:s0 40 nov 5 07:30 /mnt
> # mount
> [...]
> tmpfs on /mnt type tmpfs
> (rw,relatime,rootcontext=system_u:object_r:lib_t:s0,seclabel)
> # chcon -t bin_t /mnt
> # ls -lZd /mnt
> drwxrwxrwt. 2 root root system_u:object_r:bin_t:s0 40 nov 5 07:30 /mnt
> # mount
> [...]
> tmpfs on /mnt type tmpfs
> (rw,relatime,rootcontext=system_u:object_r:bin_t:s0,seclabel)
>
> I.e. if you mount a tree with rootcontext=<oldctx> and then relabel
> the root node to <newctx>, the displayed mount options will report
> rootcontext=<newctx> instead of rootcontext=<oldctx>. A side effect is
> that if you try to mount the same superblock again, it will only
> permit you to mount with rootcontext=<newctx>, not with
> rootcontext=<oldctx>.
>
> Is that intended, bad, or "weird, but doesn't matter" behavior?
I'd say it is bad.
> I have a halfway written patch to disallow altering the root node's
> context when mounted with rootcontext=, but I'm not sure if that's the
> right thing to do or not.
Probably the better fix would be to save the original rootcontext SID
as a new field of the
superblock security struct and use that both when displaying the mount
options and when
comparing old and new mount options instead of what happens to be
assigned to the root
inode at the time.
next prev parent reply other threads:[~2020-11-05 13:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-05 12:44 Possibly unwanted rootcontext= behavior? Ondrej Mosnacek
2020-11-05 13:51 ` Stephen Smalley [this message]
2020-11-05 15:31 ` Paul Moore
2020-11-05 17:22 ` Ondrej Mosnacek
2020-11-05 17:28 ` Stephen Smalley
2020-11-05 17:36 ` Stephen Smalley
2020-11-06 4:12 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEjxPJ7cwBpLGoTmzGOUJFq5QuFCHG+xydiGYAtk2hV0d8ww3g@mail.gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.