Re: [PATCH] nfs: fix oops when trying to set SELinux label

[Dave Quigley <dpquigl@davequigley.com>]

On 11/1/2013 1:05 PM, Myklebust, Trond wrote:
>
> On Nov 1, 2013, at 12:57, Jeff Layton <jlayton@redhat.com> wrote:
>
>> On Fri, 1 Nov 2013 16:50:00 +0000
>> "Myklebust, Trond" <Trond.Myklebust@netapp.com> wrote:
>>
>>> On Fri, 2013-11-01 at 12:02 -0400, Jeff Layton wrote:
>>>> It looks like _nfs4_get_security_label() has the same problem, but I've
>>>> so far been unable to get it to be called, so I didn't patch it. It
>>>> seems like getxattr does some special stuff for SELinux labels that
>>>> cause them only to ever be fetched once.
>>>>
>>>> Is there some trick to it?
>>>>
>>>
>>> Doesn't 'ls -Z' cause them to security label to be read again?
>>>
>>
>> As best I can tell, security labels are set on the inode when the inode
>> is instantiated, and then are reset on changes (i.e. setxattr). If
>
> …and on getxattr, afaics.
>
>> another client changes the label though, it's not clear to me how your
>> client would ever notice it until the inode is dropped from the cache.
>>
>> ISTR Eric Paris explaining to me that they do that for performance
>> reasons but it seems like something that needs to be reconsidered in
>> light of labeled NFS. Not picking up a security label change seems like
>> a bug, IMO...
>
> To be effective, the security label should normally be set at file creation time. It should rarely, if ever, change. Why would you need to change it from a different client?
>
> Cheers,
>    Trond
>

That isn't completely true. Security labels should be set on creation 
but they may change. An SELinux label consists of 
user:role:type:level/categories. In RHEL and Fedora level/categories 
implements something called multi category security. One level multiple 
categories with the constraint on categories being that all must match 
for access to be allowed. This is how sVirt work. It picks two 
categories and setups the qemu process to start with these categories 
and then manipulates the files  on disk to have these categories such 
that even though the qemu_t proess can access the files type enforcement 
wise the categories deny it. Its what allows for SELinux based per 
process separation of a type.

Dave