Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp2451356ybh; Mon, 9 Mar 2020 06:13:20 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtjnMur3ZyqUKE3NHfIbYeSGDr6tKIWvI05nGd/b28hno8OXCKaW5Tt+NNUaItDA+6St/J/ X-Received: by 2002:a9d:138:: with SMTP id 53mr13135871otu.67.1583759600468; Mon, 09 Mar 2020 06:13:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583759600; cv=none; d=google.com; s=arc-20160816; b=cSFBod0JSNOk3QxPY7dFDMrpTMSf5DvKjD+DxVjieDZuiejp/UOwx5r118T5IpHYTG en9Uer+ueUXn3GSkr4XNMczYzs4GabLY2Bhze5uie44PUG4YZ44IkKfs7SS3C2zCgrM8 XE0WOX5NKCsCTWM5OXtux/WJUywVBS0kNSnaDnIkenLQ9gA6ZOxXsIs0LRMu6npMh2u/ WWoFuWiOg34Mul4W8OC6JS6imE+0NonJrwtJmFGR44QqlH3IdfvMmwltImGuJMW8NloA 7ZZeOiB7i60oi3J9RHWtyNbXgktb+7/4aoIli7Gmc0SFY60WcUNfIKCbnpTq1MVlwvj1 fS6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=YMXkCHfi6tRjigLBwiP/Sb8yB6KUUIstGIL9eSbm0bM=; b=IhNGsNxoo078dikHxdTuFJbWW7gtxBKpYb5gZXN+JcPgxzygbTjDo6GBugM7gd+biX BVkR5FY91PWkN/4h8vtdDdQC6nuDJAWk3GMSYVHfoQGTr3ZhAN7p/jXJ0hImmg4jBLsZ ci+8zYf6CWpoqf4yvh17j3SKDSL0kwx34Tz1x6gpxDMKHd8pmJ/KtCwWQLs1/PFcCja+ Gp+RTZ9lcwdm8XY8sa8rd7CeFoA6dDhKFdg1CDcMEQIbR4o+PmggPFdNFdvXQR5jK62f kl7Xu8QE0dnqEuD2YktcPeZqmoWaM34ace4rkK52bJnmBzauebK3fP+mXQ2uE9s6T1oT wtEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jgmg7AQO; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b80si3878072oii.199.2020.03.09.06.12.54; Mon, 09 Mar 2020 06:13:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=jgmg7AQO; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726427AbgCINMo (ORCPT + 99 others); Mon, 9 Mar 2020 09:12:44 -0400 Received: from mail-oi1-f193.google.com ([209.85.167.193]:36596 "EHLO mail-oi1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725956AbgCINMo (ORCPT ); Mon, 9 Mar 2020 09:12:44 -0400 Received: by mail-oi1-f193.google.com with SMTP id t24so10089272oij.3; Mon, 09 Mar 2020 06:12:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YMXkCHfi6tRjigLBwiP/Sb8yB6KUUIstGIL9eSbm0bM=; b=jgmg7AQODy6ArktDYFhSC5bvkoB84U/ZJaWMvQCDcDb0xjtZovx2vu6MsllR5obLkx r26y2Yrs6uCYe8ISzVfIxisOp56N76S/BSC0Bi1ClmUVRt/w1HxcTYfdnwZ0SGP4MluD vtbBl+9UuyX61nK3/4mcWprAHgl8Dwda0Ry56rPFZMWOdQyqTd1kbgoQneqPE/JWHXso 3uMoP6vtMfvJ6RSvdJS0pY+0zISDb9E2KhroK3+gKb9NVB74sP4C33DFj4iz6PPWrfu3 wYYZVly9LpY6ydONDIcZ1v8T6Wu94y+1n7Ro9I8VaPtBGsKgw6xYLvMMFPpRuNYXG6/w +T0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YMXkCHfi6tRjigLBwiP/Sb8yB6KUUIstGIL9eSbm0bM=; b=VhvxBa4qVnePAZpJLcYoolU2jdF2MPTEhGXIGfSm9bNomGZ/DmaonnKnzogtt3CviC fgkGPg3Rgq4D1lIv4LO9Q4/li7xBgeiqCXRG2tzr3TxpoHCD/9sqFyNvKBN3Fy98KFrj owBcTBXtbwghe6hdxvnskSp5lZFNmsPOGgEQ1vinzgHKDjzMlrTYp0fmAwpwpR0Ckdbj X5a01r5Zg2Yz/54XNR09JT8EA2uKfg0+a2shPhQaWZsGxmKFtgoKmB0twssJ5tYu+n0S 6PLXzF68qh0oGmFenqOfntAvTIJT/8OQ3y7r0UVamdFS5Cgp+o2shb+toJmTd/zRfWjb X49A== X-Gm-Message-State: ANhLgQ3v4dzmZnKN0ZRdhQcPe92XzEumFfqbplt09ejkibS6hDX0s39a quLonF8XA31s2hU2cc9pphey6FsyHgU/4ji4SZdpzlGs X-Received: by 2002:a05:6808:34c:: with SMTP id j12mr10737228oie.92.1583759563233; Mon, 09 Mar 2020 06:12:43 -0700 (PDT) MIME-Version: 1.0 References: <20200303225837.1557210-1-smayhew@redhat.com> <6bb287d1687dc87fe9abc11d475b3b9df061f775.camel@btinternet.com> <20200304143701.GB3175@aion.usersys.redhat.com> <20200306220132.GD3175@aion.usersys.redhat.com> In-Reply-To: <20200306220132.GD3175@aion.usersys.redhat.com> From: Stephen Smalley Date: Mon, 9 Mar 2020 09:14:19 -0400 Message-ID: Subject: Re: [PATCH] NFS: Ensure security label is set for root inode To: Scott Mayhew Cc: Richard Haines , trond.myklebust@hammerspace.com, anna.schumaker@netapp.com, bfields@fieldses.org, Paul Moore , Stephen Smalley , linux-nfs@vger.kernel.org, SElinux list Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, Mar 6, 2020 at 5:01 PM Scott Mayhew wrote: > > On Wed, 04 Mar 2020, Stephen Smalley wrote: > > I'm not sure that rootcontext= should be supported or is supportable > > over labeled NFS. > > Should rootcontext= be supported for NFS versions < 4.2? If not then > maybe it that option should be rejected for nfs and nfs4 fstypes in > selinux_set_mnt_opts(). Looks like it gets ignored currently? $ sudo exportfs -orw,no_root_squash localhost:/home $ sudo mkdir -p /mnt/selinux-testsuite $ sudo mount -t nfs -o vers=4.0,rootcontext=system_u:object_r:etc_t:s0 localhost:/home/sds/selinux-testsuite /mnt/selinux-testsuite $ ls -Zd /mnt/selinux-testsuite system_u:object_r:nfs_t:s0 /mnt/selinux-testsuite $ mount | grep testsuite localhost:/home/sds/selinux-testsuite on /mnt/selinux-testsuite type nfs4 (rw,relatime,rootcontext=system_u:object_r:etc_t:s0,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=::1,local_lock=none,addr=::1) I don't think we need to support it, but I don't know if we explicitly need to test and reject it for nfs/nfs4. > > It's primary use case is to allow assigning a specific context other > > than the default policy-defined one > > to the root directory for filesystems that support labeling but don't > > have existing labels on their root > > directories, e.g. tmpfs mounts. Even if we set the rootcontext based > > on rootcontext= during mount(2), > > it would likely get overridden by subsequent attribute fetches from > > the server I would think (e.g. it probably > > already switches to the context from the server after 30 seconds or > > Yes, that's what happens. If we wanted to retain that behavior moving > forward, then we need to avoid calling nfs_setsecurity() for the root > inode when the rootcontext= option was used. To do that, I think we'd > need to add a flag that could be passed back to NFS via the > set_kern_flags parameter of selinux_set_mnt_opts(). Doesn't seem justified. > > so?). As long as the separate context= option > > continues to work correctly on NFS, I'm not overly concerned about this. > > Yep, the context= option still works. Great, then I have no objections to this patch.