From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:42436 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933093AbbGHHY3 (ORCPT ); Wed, 8 Jul 2015 03:24:29 -0400 Subject: Patch "selinux: fix setting of security labels on NFS" has been added to the 4.1-stable tree To: bfields@redhat.com, dpquigl@davequigley.com, eparis@redhat.com, gregkh@linuxfoundation.org, pmoore@redhat.com, rc556677@outlook.com, sds@tycho.nsa.gov Cc: , From: Date: Wed, 08 Jul 2015 00:24:28 -0700 Message-ID: <1436340268177234@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled selinux: fix setting of security labels on NFS to the 4.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: selinux-fix-setting-of-security-labels-on-nfs.patch and it can be found in the queue-4.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 9fc2b4b436cff7d8403034676014f1be9d534942 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Thu, 4 Jun 2015 15:57:25 -0400 Subject: selinux: fix setting of security labels on NFS From: "J. Bruce Fields" commit 9fc2b4b436cff7d8403034676014f1be9d534942 upstream. Before calling into the filesystem, vfs_setxattr calls security_inode_setxattr, which ends up calling selinux_inode_setxattr in our case. That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set. SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it only if selinux_is_sblabel_mnt returns true. The selinux_is_sblabel_mnt logic was broken by eadcabc697e9 "SELinux: do all flags twiddling in one place", which didn't take into the account the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs with eb9ae686507b "SELinux: Add new labeling type native labels". This caused setxattr's of security labels over NFSv4.2 to fail. Cc: Eric Paris Cc: David Quigley Reported-by: Richard Chan Signed-off-by: J. Bruce Fields Acked-by: Stephen Smalley [PM: added the stable dependency] Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/hooks.c | 1 + 1 file changed, 1 insertion(+) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -403,6 +403,7 @@ static int selinux_is_sblabel_mnt(struct return sbsec->behavior == SECURITY_FS_USE_XATTR || sbsec->behavior == SECURITY_FS_USE_TRANS || sbsec->behavior == SECURITY_FS_USE_TASK || + sbsec->behavior == SECURITY_FS_USE_NATIVE || /* Special handling. Genfs but also in-core setxattr handler */ !strcmp(sb->s_type->name, "sysfs") || !strcmp(sb->s_type->name, "pstore") || Patches currently in stable-queue which might be from bfields@redhat.com are queue-4.1/selinux-fix-setting-of-security-labels-on-nfs.patch