Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp2695268ybh; Mon, 9 Mar 2020 11:05:17 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuIadEMhaH87Fl7BqWvq9ug3H+cOFOo43GzhILaUGPIr0JgV3Y7i6SVvPwyl2laD4dO7TYo X-Received: by 2002:aca:d954:: with SMTP id q81mr55657oig.157.1583777116715; Mon, 09 Mar 2020 11:05:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583777116; cv=none; d=google.com; s=arc-20160816; b=HDyv1t1SVJd6da16hxFYYmVXEcRoUp/EgVR3mBOve+eR/hJxHlc4+tazJk4P7RB0R0 FgqH2xpCy44EvMDoOXhPgSPLDXQGSaftE95lmAKPVJVgh84Xu+i2A/hL0GWTj/ZJ1BNZ Zo1+VWWYMjUUfnXHmjF3lcePGXq7tdKMj6M/dDpSq0O3iwNQgukXJn0P3mEmzpao9Eky nvXcgau8hgKjKLkFR8DNo4gBJLMKLKXQrG0YG2QnuO7Il+KyuNYg5G3zsLApIQqvLn17 dMNAjaN+LoRtwXkQjdYhVuZ76F1tZQaSjgIpewgvlX1zWoG/fkwD41WdnhR6RFs2l4/j CRdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=hgs8oWpZQnH5qRObxG0wmFLSg6UwmwwZ+TH8F8blMGY=; b=O2MRIZvIzB9YXc0Wg170dGMoFkw+opDmNcRTFzS8KILKoQuPdjQp1H/qBGRyRG9ELg NJ54/LkzERIfB8n66JdPkf9V6ZYqsnGcfDVEccBFpSmbFUvdWnRw/Xfc0GEkyX2rQRBx waJ7vrMV3ZhPJGDZDChwDEE0FTTtEn2HZt1J7LplgzznAgeial6j8nxGTFKVjoX3JuUO NvktgcrUWrzXh8X7a8Ca1TXoO3vaiZnQ0tx7y+hSjjy5VyzxNu8Mf/Ksib25M+aEVfyf FMMyK/DxIdbTO2gQkAfQ1QIv2zSrYUt1SKAvSYB/N5R9N7ril7tT9YJO7ViXvzQppQah PGwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=V0AAX2JE; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w9si7033749otl.138.2020.03.09.11.04.54; Mon, 09 Mar 2020 11:05:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=V0AAX2JE; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726467AbgCISEp (ORCPT + 99 others); Mon, 9 Mar 2020 14:04:45 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:42459 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726169AbgCISEo (ORCPT ); Mon, 9 Mar 2020 14:04:44 -0400 Received: by mail-ot1-f68.google.com with SMTP id 66so10472243otd.9; Mon, 09 Mar 2020 11:04:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hgs8oWpZQnH5qRObxG0wmFLSg6UwmwwZ+TH8F8blMGY=; b=V0AAX2JEPmWjiBIj6+GqL4IfltS75Sodc8a3O0FKTKmqMsncMtb/iTxvF2Wvne73+r tB1BI/uD017aqDR3b6upC27TDpLI1iD2C1KuTl5pm6YeiwpWq3kR2Vewv9X6FYesa/k5 DG+wsc6ugMwdaPf9Esocze28A7kIrKVp32Umzwu96q1Wj80+KXqT2qU/wd7h/TeAL6tT 8JK4rd9cRzx/oq5BeOysgZBVCywOGWMk+cBzgHzthlLy8NSWTD2PCbGB0Ftn5WSUTJz9 O7aql6nxnx+y/Tb2GqLW8A+w8cYc3Obt3eVediPRTI4qbwOKmQ4F/JJUjovJLZO107De 8Jhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hgs8oWpZQnH5qRObxG0wmFLSg6UwmwwZ+TH8F8blMGY=; b=Xs409BdSLtS8AFG9defLwUWpAkj2cHFAk/kTjGZKsbBnoJDDjSebiGf4Np5gtUy3XF o85bnuUofMGyUB3XneuLa9bb12waVvu43gqTNtDaNcX5G8beTMjnzkA6XQbGJOZa6tqF BI/zJNS5gpb2AhqSJLrMMlBBlGIntpxJpvTYYJwJy25EQHhs1HkP0FkMqIymopPHX5XX SYXo20PrpbsRWsQoX4l9329gfNO2iZpFyQi5enrFXorbZE5ZNUNICsegkrO10uhaLEr+ vAFCEVR1yXG+b2+MA7hCAirezp7Zd7b7TpSgs0K6aho5SKBonQ7Jqs5SD/ZjV6APog36 YQTA== X-Gm-Message-State: ANhLgQ2rybNtILeuTVPbttFvNJQ+78qsW3kp5+Zq6aR7nARMKO9lBnyh PVxIuk6TQgjVi7q5wPMMBx0YT8kG3Cxw4zBilYs= X-Received: by 2002:a9d:67c3:: with SMTP id c3mr5584575otn.340.1583777083488; Mon, 09 Mar 2020 11:04:43 -0700 (PDT) MIME-Version: 1.0 References: <20200303225837.1557210-1-smayhew@redhat.com> <6bb287d1687dc87fe9abc11d475b3b9df061f775.camel@btinternet.com> <20200304143701.GB3175@aion.usersys.redhat.com> <20200306220132.GD3175@aion.usersys.redhat.com> <41dadf5423aa1b9c0910ac3d805e6caf785dec8f.camel@btinternet.com> In-Reply-To: <41dadf5423aa1b9c0910ac3d805e6caf785dec8f.camel@btinternet.com> From: Stephen Smalley Date: Mon, 9 Mar 2020 14:05:34 -0400 Message-ID: Subject: Re: [PATCH] NFS: Ensure security label is set for root inode To: Richard Haines Cc: Scott Mayhew , trond.myklebust@hammerspace.com, anna.schumaker@netapp.com, bfields@fieldses.org, Paul Moore , Stephen Smalley , linux-nfs@vger.kernel.org, SElinux list Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, Mar 9, 2020 at 12:41 PM Richard Haines wrote: > > On Mon, 2020-03-09 at 09:35 -0400, Stephen Smalley wrote: > > 1. Mount the same filesystem twice with two different sets of context > > mount options, check that mount(2) fails with errno EINVAL. > > I've tests for the first part already, however with NFS it returns > EBUSY (using mount(2) or the fixed fsconfig(2)). On ext4, xfs & vfat it > does return EINVAL. I guess another NFS bug. Also mount(8) ignores the > error and just carries on. Here is a test using the testsuite mount(2): Looks like selinux_cmp_sb_context() returns -EBUSY on error instead of -EINVAL. This goes back to 094f7b69ea738d7d619cba449d2af97159949459 ("selinux: make security_sb_clone_mnt_opts return an error on context mismatch"). I guess you can just make the test accept either -EINVAL or -EBUSY for the time being and we'll have to consider whether we want to change it and what would break if we did.