From: sds@tycho.nsa.gov (Stephen Smalley)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts
Date: Thu, 30 Mar 2017 13:27:07 -0400 [thread overview]
Message-ID: <1490894827.2099.2.camel@tycho.nsa.gov> (raw)
In-Reply-To: <CAAObsKDThPAQpgO7R+JT=foU1=BEor-Zy7DES2tnGe=rGe=REw@mail.gmail.com>
On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote:
> On 29 March 2017 at 23:34, J. Bruce Fields <bfields@redhat.com>
> wrote:
> > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote:
> > > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP
> > > because
> > > the mount point doesn't have SBLABEL_MNT.
> > >
> > > Add specific condition for NFS4 filesystems so it gets correctly
> > > labeled.
> >
> > Huh.??Looking at the code, I think this is meant to be handled by
> > the
> > SECURITY_FS_USE_NATIVE case--there was a similar failure fixed some
> > time
> > ago by 9fc2b4b436cf.??What kernel are you seeing this on???Is it a
> > recent regression (in which case, what's the latest kernel that
> > worked
> > for you)?
>
> I have seen this on 4.11-rc4, but I never tried to get this working
> before.
>
> I will try to find time to see why SECURITY_FS_USE_NATIVE isn't
> working here.
Does your exports file specify the "security_label" option, e.g.
/path/to/dir example.com(rw,security_label)
It appears that with recent kernels that is now required; otherwise,
the mount defaults to not enabling native labeling and all of the files
are treated as having a single, fixed label defined by the client
policy (and hence setxattr is not supported). This was kernel commit
32ddd944a056c786f6acdd95ed29e994adc613a2. I don't recall seeing any
discussion of this on selinux list. I understand the rationale, but it
seems like a user-visible regression and at the very least, it seems
odd that they didn't just use "seclabel" as the kernel does in
/proc/mounts to signify a filesystem that supports security labeling by
userspace.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-03-30 17:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 15:27 [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts Tomeu Vizoso
2017-03-29 21:34 ` J. Bruce Fields
2017-03-30 7:49 ` Tomeu Vizoso
2017-03-30 17:27 ` Stephen Smalley [this message]
2017-03-30 17:41 ` J. Bruce Fields
2017-03-30 17:52 ` Stephen Smalley
2017-04-04 23:26 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490894827.2099.2.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).