Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
References: <20200303225837.1557210-1-smayhew@redhat.com> <6bb287d1687dc87fe9abc11d475b3b9df061f775.camel@btinternet.com>
 <20200304143701.GB3175@aion.usersys.redhat.com>
In-Reply-To: <20200304143701.GB3175@aion.usersys.redhat.com>
From:   Stephen Smalley <stephen.smalley.work@gmail.com>
Date:   Wed, 4 Mar 2020 10:38:15 -0500
Message-ID: <CAEjxPJ7A1KRJ3+o0-edW3byYBSjGa7=KnU5QaYCiVt6Lq6ZfpA@mail.gmail.com>
Subject: Re: [PATCH] NFS: Ensure security label is set for root inode
To:     Scott Mayhew <smayhew@redhat.com>
Cc:     Richard Haines <richard_c_haines@btinternet.com>,
        trond.myklebust@hammerspace.com, anna.schumaker@netapp.com,
        bfields@fieldses.org, Paul Moore <paul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>, linux-nfs@vger.kernel.org,
        SElinux list <selinux@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk

On Wed, Mar 4, 2020 at 9:37 AM Scott Mayhew <smayhew@redhat.com> wrote:
>
> On Wed, 04 Mar 2020, Richard Haines wrote:
> > I built and tested this patch on selinux-next (note that the NFS module
> > is a few patches behind).
> > The unlabeled problem is solved, however using:
> >
> > mount -t nfs -o
> > vers=4.2,rootcontext=system_u:object_r:test_filesystem_file_t:s0
> > localhost:$TESTDIR /mnt/selinux-testsuite
> >
> > I get the message:
> >     mount.nfs: an incorrect mount option was specified
> > with a log entry:
> >     SELinux: mount invalid.  Same superblock, different security
> > settings for (dev 0:42, type nfs)
> >
> > If I use "fscontext=" instead then works okay. Using no context option
> > also works. I guess the rootcontext= option should still work ???
>
> Thanks for testing.  It definitely wasn't my intention to break
> anything, so I'll look into it.

I'm not sure that rootcontext= should be supported or is supportable
over labeled NFS.
It's primary use case is to allow assigning a specific context other
than the default policy-defined one
to the root directory for filesystems that support labeling but don't
have existing labels on their root
directories, e.g. tmpfs mounts.  Even if we set the rootcontext based
on rootcontext= during mount(2),
it would likely get overridden by subsequent attribute fetches from
the server I would think (e.g. it probably
already switches to the context from the server after 30 seconds or
so?). As long as the separate context= option
continues to work correctly on NFS, I'm not overly concerned about this.

I should note that we are getting similar errors though when trying to
specify any context-related
mount options on NFS via the new fsconfig(2) system call, see
https://github.com/SELinuxProject/selinux-kernel/issues/49
I don't know if this change in when security_sb_set_mnt_opts() will
alter that situation any.

Also, FYI, we have recently made it possible to run the
selinux-testsuite without errors within a labeled NFS
mount.  If you clone
https://github.com/SELinuxProject/selinux-testsuite/ and follow the
README.md
instructions including the NFS section and run ./tools/nfs.sh, it will
export and mount the testsuite directory
via labeled NFS over loopback and run all tests that can be supported
over NFS, and then runs a few specific
tests for context= mount options (but not the other mount options at
present).  It still needs some further
enhancements as per
https://github.com/SELinuxProject/selinux-testsuite/issues/32#issuecomment-582992492
but it at least provides some degree of regression testing.