Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934078AbdC3RXZ (ORCPT ); Thu, 30 Mar 2017 13:23:25 -0400 Received: from emsm-gh1-uea11.nsa.gov ([8.44.101.9]:31536 "EHLO emsm-gh1-uea11.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933320AbdC3RXX (ORCPT ); Thu, 30 Mar 2017 13:23:23 -0400 X-IronPort-AV: E=Sophos;i="5.36,247,1486425600"; d="scan'208";a="4459323" IronPort-PHdr: =?us-ascii?q?9a23=3Ap45V4xDVvJC78HxWo/ngUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP36r86wAkXT6L1XgUPTWs2DsrQf2reQ4/GrADVZqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLdyIRmsrgjcssYajZZ/Jqos1xDEvmZGd+?= =?us-ascii?q?NKyG1yOFmdhQz85sC+/J5i9yRfpfcs/NNeXKv5Yqo1U6VWACwpPG4p6sLrswLD?= =?us-ascii?q?TRaU6XsHTmoWiBtIDBPb4xz8Q5z8rzH1tut52CmdIM32UbU5Uims4qt3VBPljj?= =?us-ascii?q?oMOiUn+2/LlMN/kKNboAqgpxNhxY7UfJqVP+d6cq/EYN8WWXZNUsNXWiNPGIO8?= =?us-ascii?q?a5YEAfQHM+hWsoLxo0ICoQWiCQWpAu7k1z1GiWLs3aAi0OovDAHI0hIuEd0Mvn?= =?us-ascii?q?TUq8n6OqAdXu6616TI0TbOYulK1Trn9ITFcBYsquyMU7JqdsrRzFEiGR7ZjlqO?= =?us-ascii?q?sYzlPy2a1uIQuGaG6upvT+avi2o5pABxvzOiwdwshZTSho8O1lDF9Tl2wIYyJd?= =?us-ascii?q?GiTk57esSrHIFftyGdKYt7W8UvSHxmtiY9z70Jo5+7fC4SxZs5yB/QcfmHc5CM?= =?us-ascii?q?4h39TuqePTB4hHdjdbmihBiy6VCtxvDzW8S7ylpHrjdJnsPSun0CyRDf8NWLR/?= =?us-ascii?q?1g9Um7wzmPzRrc6uRcLEAxkqrUNoAuz6YrlpoWrUTDBij2mFjqjKOOdkUr5Oyo?= =?us-ascii?q?6+P/b7X6vJCcLY50ihzlMqg0hsy+Afg3MggJX2SB/+SzyKbj8lHjTLVPj/02lr?= =?us-ascii?q?HVsJHcJcsFuq60GxJZ34ks5hqlDzqqzc4UkWcIIV5bYh6LkpDlO1TUL/D5Cfe/?= =?us-ascii?q?jU6skDBux/3eJb3uH47NI2PfkLbhYbl960lcxBA1zdBE/Z1YEL4BIPXtWkPprt?= =?us-ascii?q?zXEgc5MxCow+bgENh91JkRWWeRDa+CKq/StUWE5ucoI+mWfo8VuS39JuMi5/70?= =?us-ascii?q?l3A2hVsdcrez0ZQLb3C4G+xsI1+Fbnr0ntcBDWAKsxI6TOzrjl2CTDFSa2+pX6?= =?us-ascii?q?0i+j47FZimDYbfRoGtmbCB2SC7EYBLZmBCFF+BCmnod4qaVPcWci6SIdFukiYC?= =?us-ascii?q?Vbe/T48tzxautBX1y7B/NOrb5jUYtY7/1Nhy/+DTkRAy9TppD8WSym2NTH97nn?= =?us-ascii?q?kORzAo2KByulJ9ylid3qhimfBYFsJc5+lPUggkMZ7Q1et6C8r9WgjZZNeGVE6m?= =?us-ascii?q?Qsm6ATE2Vt8+2NEOY0djFNWmkx/DxDGnA6ULmLOWBJw76L7c02LtKMZ6znbMzL?= =?us-ascii?q?MhgEU+QstTKW2mgbZy9xTUB47MjUqZirymdbod3C/M82eD1m2OsVpEXw53VaXF?= =?us-ascii?q?WWoQaVDRrdTj/EzOVaOhCbMiMlgJ9cnXFqxPZ8Chs1RUQ+zkcIDCZGe8hiGuBA?= =?us-ascii?q?SP3bSkZ43uf2wX2z/UTkMDllZXtTykc0AUHDqqrirwDTFqGUmlKxfm/+hzrH+g?= =?us-ascii?q?ZlU5wwGDcwtq0L/jqTAPgvnJcO8exrIJvm8arjxwGFusl4bNB8GouxtqfKIaZ8?= =?us-ascii?q?g0plhAyzSK5ERGIpW8IvU61RYleANtsharjk8vBw=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HUBQCWPt1Y/wHyM5BdGwEBAQMBAQEJAQEBFgEBAQMBAQE?= =?us-ascii?q?JAQEBgwIpgWyDYpo0AQEBAQEBBoEjk0GEHYYiAoM2VwEBAQEBAQEBAgECaCiCM?= =?us-ascii?q?yIBgkABBSMPAUYQCw0LAgImAgJXBgESiAOBew2uCoImJgKKLQEBAQEBBQEBAQE?= =?us-ascii?q?BASKBC4R+hTSHWoJfBZxqklCKc4ZESJMlWIEFHAkCFAgeD0GGdSQ1iRQBAQE?= Message-ID: <1490894827.2099.2.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux: Fix SBLABEL_MNT for NFS mounts From: Stephen Smalley To: Tomeu Vizoso , "J. Bruce Fields" Cc: "linux-kernel@vger.kernel.org" , linux-security-module@vger.kernel.org, James Morris , selinux@tycho.nsa.gov Date: Thu, 30 Mar 2017 13:27:07 -0400 In-Reply-To: References: <20170329152724.19030-1-tomeu.vizoso@collabora.com> <20170329213439.GC19617@parsley.fieldses.org> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1665 Lines: 39 On Thu, 2017-03-30 at 09:49 +0200, Tomeu Vizoso wrote: > On 29 March 2017 at 23:34, J. Bruce Fields > wrote: > > On Wed, Mar 29, 2017 at 05:27:23PM +0200, Tomeu Vizoso wrote: > > > Labelling of files in a NFSv4.2 currently fails with ENOTSUPP > > > because > > > the mount point doesn't have SBLABEL_MNT. > > > > > > Add specific condition for NFS4 filesystems so it gets correctly > > > labeled. > > > > Huh.  Looking at the code, I think this is meant to be handled by > > the > > SECURITY_FS_USE_NATIVE case--there was a similar failure fixed some > > time > > ago by 9fc2b4b436cf.  What kernel are you seeing this on?  Is it a > > recent regression (in which case, what's the latest kernel that > > worked > > for you)? > > I have seen this on 4.11-rc4, but I never tried to get this working > before. > > I will try to find time to see why SECURITY_FS_USE_NATIVE isn't > working here. Does your exports file specify the "security_label" option, e.g. /path/to/dir example.com(rw,security_label) It appears that with recent kernels that is now required; otherwise, the mount defaults to not enabling native labeling and all of the files are treated as having a single, fixed label defined by the client policy (and hence setxattr is not supported). This was kernel commit 32ddd944a056c786f6acdd95ed29e994adc613a2. I don't recall seeing any discussion of this on selinux list. I understand the rationale, but it seems like a user-visible regression and at the very least, it seems odd that they didn't just use "seclabel" as the kernel does in /proc/mounts to signify a filesystem that supports security labeling by userspace.