Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1458612imm; Wed, 19 Sep 2018 19:46:46 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbPgMniOfKj2Vr+jxybnjzV60Qwwe/QjkRiIL/jtkGzWad3Gyh7DSip4g9kynCakD/O6mbI X-Received: by 2002:a65:4d42:: with SMTP id j2-v6mr34175717pgt.232.1537411606452; Wed, 19 Sep 2018 19:46:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537411606; cv=none; d=google.com; s=arc-20160816; b=joFkeWW2+rlLZzraHF1sTm4tFaReLF8iplUaIXe0l9UQ17b/YCTYGuExRtR7rs/Wtc jmX3nNURmWLdc2ZDU0t5s7mmBqHR5Ab3WMt/nV5Lebv2l3q0NycKZrPWzexXdjvWRPqY BPdUagqovV38wmDy7/571S6mTTFA5ocG60k5NRls0y18MfJbxv9llnnByMQ0ysiLymQi HTMrOmw/SZgAbsDMEiRg8Ir7fVOo0SB4QwoYVcgLPjNnoxUr2VHl+qNCd6wNZL0BJzjy aVSVkB8op5CnCoBPjfv4JVi9HUamp01vCXoAwtDMAd+/01TSaHYOPNCdoyr/MpZchAvC iWbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:subject:user-agent:message-id :references:cc:in-reply-to:from:to:content-transfer-encoding :mime-version:dkim-signature; bh=BO+GPnKmgtZArWXbQ/jz7Qp6ethi+WrWDxl2RP1eBu0=; b=p75TwziM/cMN628CnFnhrsiX3CH6TyTYN4KcvlW389F1p5IDHqaBZg4/koH+NlJQb8 PQ3dWGj56jCI0G2ucfrlQB+Hl9XJySZ840ecQDM+bEdqvfunuEIljyu6cv+NNiP+sfBo CM7YGxCi2yanfbdvSMzROGLMKeo8VAe+sY+rPMjUoPsZt25I/hbwNax3Nb1biiRm1/XI ZwDCOBAZf2Mmh9XkqT6Yvx61PhdZw9Vie9bLSNbTfnggQEkad5Xk2M/rrUlFMXb//XtK svU5QNpl4eBsdrCUjuJIP43ZKiESCcNW8lpkQMcxe92Ix2y/OJRFUm+JQO4wJDfiEAO7 5/pw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=OMSfoMB5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m23-v6si21706951pgl.51.2018.09.19.19.46.30; Wed, 19 Sep 2018 19:46:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cisco.com header.s=iport header.b=OMSfoMB5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cisco.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731731AbeITIWt (ORCPT + 99 others); Thu, 20 Sep 2018 04:22:49 -0400 Received: from alln-iport-8.cisco.com ([173.37.142.95]:8030 "EHLO alln-iport-8.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726006AbeITIWs (ORCPT ); Thu, 20 Sep 2018 04:22:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5654; q=dns/txt; s=iport; t=1537411308; x=1538620908; h=mime-version:content-transfer-encoding:to:from: in-reply-to:cc:references:message-id:subject:date; bh=v5hQPKHK13h9y2rYw2GmKS1vQH4c6R4lgd/2rGqqE4w=; b=OMSfoMB5IdFMdClSOBhuQBjjY84altAYsk6VtYPW3/OUJXOSZLLyrkHo E0hDvR3YsyoATlCJwibZ11msRd13H+Qkq1P/QpCuWrkq5BsP1Q+zR8ken LeiFpZ4zpaQFqzBSP1nkKFI+Gf+PgQewFyTIV77q6cMxTphfTP05z7iRu o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AwAACzB6Nb/49dJa1cGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYFQgV4qgWQog3OIFYwygWgliGmNZIF6C4RsAoM7ITQYAQMBAQI?= =?us-ascii?q?BAQJtKEIMAYRpAQEBAQIBIwRFCgMQCw4KAgImAgJHEAYBEhuEewUIpDh7M4o?= =?us-ascii?q?fFHeJYheBQT+BRYJfhEchFoMBglcCiB0hEIYSjXwJkDoJAo8PlHGBQjiBVXA?= =?us-ascii?q?VeAtWgU6CJRd6AQGNOx8wiE+CUYJMAQE?= X-IronPort-AV: E=Sophos;i="5.53,396,1531785600"; d="scan'208";a="173602672" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Sep 2018 02:41:47 +0000 Received: from localhost ([10.156.154.30]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTP id w8K2flTq001574; Thu, 20 Sep 2018 02:41:47 GMT Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable To: Eric Paris , Paul Moore , Stephen Smalley From: Taras Kondratiuk In-Reply-To: Cc: selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, xe-linux-external@cisco.com References: <20180919165248.53090-1-takondra@cisco.com> Message-ID: <153741130781.7326.1773144725860636439@takondra-t460s> User-Agent: alot/0.6 Subject: Re: [RFC PATCH] selinux: add a fallback to defcontext for native labeling Date: Wed, 19 Sep 2018 19:41:47 -0700 X-Auto-Response-Suppress: DR, OOF, AutoReply X-Outbound-SMTP-Client: 10.156.154.30, [10.156.154.30] X-Outbound-Node: rcdn-core-7.cisco.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Stephen Smalley (2018-09-19 12:00:33) > On 09/19/2018 12:52 PM, Taras Kondratiuk wrote: > > When files on NFSv4 server are not properly labeled (label doesn't match > > a policy on a client) they will end up with unlabeled_t type which is > > too generic. We would like to be able to set a default context per > > mount. 'defcontext' mount option looks like a nice solution, but it > > doesn't seem to be fully implemented for native labeling. Default > > context is stored, but is never used. > > = > > The patch adds a fallback to a default context if a received context is > > invalid. If the inode context is already initialized, then it is left > > untouched to preserve a context set locally on a client. > = > Can you explain the use case further? Why are you exporting a = > filesystem with security labeling enabled to a client that doesn't = > understand all of the labels used within it? Why wouldn't you just = > disable NFSv4 security labeling and/or use a regular context=3D mount to = > assign a single context to all files in the mount? Client and server are two embedded devices. They are part of a bigger modular system and normally run the same SW version, so they understand each others NFSv4 SELinux labels. But during migration from one SW version to another a client and a server may run different versions for some time. The immediate issue I'm trying to address is a migration between releases with and without SELinux policy. A client (with policy) gets initial SID labels from a server (without policy). Those labels are considered invalid, so files remain unlabeled. This also causes lots of errors from nfs_setsecurity() in dmesg. Using 'context=3D' at mount point level is an option, but in a normal case when both sides have a policy we need more granular labels. It is possible to detect a case when a server doesn't have a policy and remount with 'context=3D', but this special case handling looks a bit ugly. Having something like 'defcontext' whould allow to avoid this special case and unconditionally assign default context to the mountpoint. 'defcontext' may also help during migration between SELinux-enabled releases if a new release introduces labels that are not recognized by older release. In this case they can also fallback to defcontext. > = > To be clear, defcontext=3D doesn't work that way for local/FS_USE_XATTR = > filesystems. The context specified by it is only used for: > 1) files that don't implement the xattr inode operations at all, > 2) files that lack a security.selinux xattr, > 3) the MLS portion of the context if it was missing (strictly as a = > legacy compatibility mechanism for RHEL4 which predated the enabling of = > the MLS field/logic). > = > A file with a security.selinux xattr that is invalid under policy for = > any reason other than a missing MLS field will be handled as having the = > unlabeled context. inode_doinit_with_dentry() invokes security_context_to_sid_default() that invokes security_context_to_sid_core() with 'force' flag. Won't sidtab_context_to_sid() in this case allocate a new SID for the invalid xattr context instead of leaving it unlabeled? > = > So this would be a divergence in semantics for defcontext=3D between = > local/FS_USE_XATTR and NFS/FS_USE_NATIVE filesystems. Yeah, I also didn't like this semantics mismatch. But from another point defcontext allows to assign a context to files that would otherwise be unlabeled. Something similar I'd like to achive for NFS. > = > > = > > Signed-off-by: Taras Kondratiuk > > --- > > security/selinux/hooks.c | 25 ++++++++++++++++++++++++- > > 1 file changed, 24 insertions(+), 1 deletion(-) > > = > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index ad9a9b8e9979..f7debe798bf5 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -6598,7 +6598,30 @@ static void selinux_inode_invalidate_secctx(stru= ct inode *inode) > > */ > > static int selinux_inode_notifysecctx(struct inode *inode, void *ctx,= u32 ctxlen) > > { > > - return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx= , ctxlen, 0); > > + struct superblock_security_struct *sbsec; > > + struct inode_security_struct *isec; > > + int rc; > > + > > + rc =3D selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx= , ctxlen, 0); > = > In this case, we likely don't gain much by reusing = > selinux_inode_setsecurity() here and could just inline the relevant = > portion of it if we were to make this change. Logically they mean = > different things. > = > > + > > + /* > > + * In case of Native labeling with defcontext mount option fall b= ack > > + * to a default SID if received context is invalid. > > + */ > > + if (rc =3D=3D -EINVAL) { > > + sbsec =3D inode->i_sb->s_security; > > + if (sbsec->behavior =3D=3D SECURITY_FS_USE_NATIVE && > > + sbsec->flags & DEFCONTEXT_MNT) { > > + isec =3D inode->i_security; > > + if (!isec->initialized) { > > + isec->sclass =3D inode_mode_to_security_c= lass(inode->i_mode); > > + isec->sid =3D sbsec->def_sid; > > + isec->initialized =3D 1; > > + } > > + rc =3D 0; > > + } > > + } > > + return rc; > > } > > = > > /* > > = >=20