Received: by 2002:a4a:301c:0:0:0:0:0 with SMTP id q28-v6csp297014oof; Mon, 24 Sep 2018 20:47:32 -0700 (PDT) X-Google-Smtp-Source: ACcGV63v2TfHa1cFSxZsct5Z9eKUv26zlzPSWPwgr02iXYHSbTTFvhmWvGWvI/T64Br9eQBWNX4y X-Received: by 2002:a17:902:561:: with SMTP id 88-v6mr1515931plf.320.1537847252013; Mon, 24 Sep 2018 20:47:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537847251; cv=none; d=google.com; s=arc-20160816; b=ycOkNBxnKtoxDsbhbTucB0EGH354R8GDPKUHd/zLu8+tC60YLhveZ1vmpSS9PqEyyH EHpZ6maZ+WZ+vOMy3C5h0a0fhSiwU7+AhrN1u8bhGkLAKZrVg0JMg7ZySUTcHrBxYXpd akl0DMgxcKMMko7kuZ4XceKrPTpRZhWYs2JLGyvbOOBXU+KP537H93aLeCcfInSNS5pk K79kikGgt/l+eiAaDiDIIPlkvCpvR42wtIoUJWFe3Iaoho/juxy31jkM4+rQu23fsxXZ sYXd0pwD+gN0AeAc70pN+ei7iMKfcO7AFffS5ardkzqcxx2PoqrsxN9OUQHKlBD6JYus ycMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Z87e5uFX/admB8csiuT3JJaS7hI0OOVcYvhRJ8aoDy0=; b=FRCnDaT/fQAzQUZeX4U3x58Nsbr6gwMr7yfLkbF+OFrvoF1S38bQJHi72wtY3VuvRR zmp/ebkB+u6qrDuT8HTiy/5Pli/2jpP85TeVni9AI+tydi2dQlUmcjC2LkWyaXYDjK1N uxxNH0Az1J3IBIMqej1ANAPYkIV656gqE1f+j4+lm00tx01TLUjqT+LsynGow09qTxc4 KAB5UTxz/weElXwn/JZX7YxAcqAYJ7+Q+YoNuuySOvKP6B2MMOSMy0lv4GXRDriO9HEb OLiFeMEUYH4HjDAjzqP4dDCLL2y/052C8dw1HBJ5B9JDs1snDjRGecSf94XAeVVndM1x kwdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=g4pJdXpi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f35-v6si1250842plh.33.2018.09.24.20.47.14; Mon, 24 Sep 2018 20:47:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=g4pJdXpi; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728087AbeIYJwi (ORCPT + 99 others); Tue, 25 Sep 2018 05:52:38 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:39673 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727469AbeIYJwi (ORCPT ); Tue, 25 Sep 2018 05:52:38 -0400 Received: by mail-lf1-f68.google.com with SMTP id w21-v6so4666844lff.6 for ; Mon, 24 Sep 2018 20:47:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z87e5uFX/admB8csiuT3JJaS7hI0OOVcYvhRJ8aoDy0=; b=g4pJdXpihRh68QY6rx8hMDtCxSn6x3LOM5gV2vx6Ts8MyvfsmkGO86t4GdPlbWkuAw fw/V2S1GaL23VORKGuOTZVvOjyp5CtnIx5MKtCb9w7MaDuRvN6Pih+JzPErRYyNobSPb axDcN2M/VUmc5AyVodPoz6j2db1GzV3FFi/hl+Nti8a0piU6csnjlHA+cmsaY18jJcJD mEzhmG2IMF5Y/kT8ZzLnw6oFLOVIDhuJusav5aMlGEC5cywVeivC1PpPCfdvFdV3xnzE 5dx6Mu6f7kNg3r2K0VRmYasbTjrZQB+yOWXOKIunoep+aVxIXkGRBAjriFgM6u3AqCw6 3EBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z87e5uFX/admB8csiuT3JJaS7hI0OOVcYvhRJ8aoDy0=; b=Gr637L4ljZ2f5X+anN5sbn62bKIi5Rti/JkNMFoV4UTXfvzajh4KiVFKoEIQ+JP+8F gXbm8Cr5zDKgY1yBsjKCGS2cjEEY0k6JnM8m9m+1SdrrlZNDM2EEZW6KuoaKwQDBUc31 SuBsOj6SI0XzZS4rS8bPot8Xv49pAA91n59T71R3asaJ+Ajc09cOPH/i4MbIjh3pwVzr sEaZ5PkUsgs8dNkx4Zwdh/r4u7F2mOW9JzWzeFrQRrl2EqDI5sYa72/rQLi7Y+5qlaIg y3BvrmhiynzdOjjfiXzsj1ChAg3XYoEPLQOh/ih8x9FlplL54kQYgqOWy1dLQOuAp+IH wvvA== X-Gm-Message-State: ABuFfoguTPPjqY3KOJimjZ0dtdb6enokGX1BUo8HSihDyRG5ezsomuLh QqR0u+vJoNjQRXwipI1S6gNYyhR2H21chJESIilv X-Received: by 2002:ac2:410d:: with SMTP id b13-v6mr976304lfi.19.1537847228114; Mon, 24 Sep 2018 20:47:08 -0700 (PDT) MIME-Version: 1.0 References: <20180919165248.53090-1-takondra@cisco.com> <153741130781.7326.1773144725860636439@takondra-t460s> <9a944aea-f35e-5a49-841d-6bfca8f17b9d@tycho.nsa.gov> <153748436388.5590.1406237328277739821@takondra-t460s> <66ec16b0-a335-d9ef-deb3-ef391cdd66e0@tycho.nsa.gov> In-Reply-To: <66ec16b0-a335-d9ef-deb3-ef391cdd66e0@tycho.nsa.gov> From: Paul Moore Date: Mon, 24 Sep 2018 23:46:57 -0400 Message-ID: Subject: Re: [RFC PATCH] selinux: add a fallback to defcontext for native labeling To: Stephen Smalley , takondra@cisco.com Cc: Eric Paris , selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, xe-linux-external@cisco.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 21, 2018 at 10:39 AM Stephen Smalley wrote: > On 09/20/2018 06:59 PM, Taras Kondratiuk wrote: > > Quoting Stephen Smalley (2018-09-20 07:49:12) > >> On 09/19/2018 10:41 PM, Taras Kondratiuk wrote: > >>> Quoting Stephen Smalley (2018-09-19 12:00:33) > >>>> On 09/19/2018 12:52 PM, Taras Kondratiuk wrote: ... > > IMO it would be more consistent if defcontext cover all "unlabeled" > > groups. It seems unlikely to me that somebody who currently uses > > defcontext can somehow rely on mapping invalid labels to unlabeled > > instead of default context. > > Yes, and that seems more consistent with the current documentation in > the mount man page for defcontext=. > > I'd be inclined to change selinux_inode_notifysecctx() to call > security_context_to_sid_default() directly instead of using > selinux_inode_setsecurity() and change security_context_to_sid_core() > and sidtab_search_core() as suggested above to save and use the def_sid > instead of SECINITSID_UNLABELED always (initializing the context def_sid > to SECINITSID_UNLABELED as the default). selinux_inode_setsecurity() we > should leave unchanged, or if we change it at all, it should be more > like the handling in selinux_inode_setxattr(). The notifysecctx hook is > invoked by the filesystem to notify the security module of the file's > existing security context, so in that case we always want the _default > behavior, whereas the setsecurity hook is invoked by the vfs or the > filesystem to set the security context of a file to a new value, so in > that case we would only use the _force interface if the caller had > CAP_MAC_ADMIN. > > Paul, what say you? NB This would be a user-visible behavior change for > mounts specifying defcontext= on xattr filesystems; files with invalid > contexts will then show up with the defcontext value instead of the > unlabeled context. If that's too risky, then we'd need a flag or > something to security_context_to_sid_default() to distinguish the > behaviors and only set it when called from selinux_inode_notifysecctx(). Visible changes like this are always worrisome, even though I think it is safe to assume that the defcontext option is not widely used. I'd feel much better if this change was opt-in. Which brings about it's own problems. We have the policy capability functionality, but that is likely a poor fit for this as the policy capabilities are usually controlled by the Linux distribution while the mount options are set by the system's administrator when the filesystem is mounted. We could add a toggle somewhere in selinuxfs, but I really dislike that idea, and would prefer to find a different solution if possible. I'm not sure how much flak we would get for introducing a new mount option, but perhaps that is the best way to handle this: defcontext would continue to behave as it does now, but new option X would behave as mentioned in this thread. Thoughts? -- paul moore www.paul-moore.com