Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp792242ybh; Tue, 10 Mar 2020 08:20:24 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuc/VD3/Qjf6vR2nCfX12n2hRmxPbG72WVEZEQPZh8FGMvSEDWG3z16vhhclFzJmv550mBP X-Received: by 2002:aca:b605:: with SMTP id g5mr1568615oif.159.1583853624128; Tue, 10 Mar 2020 08:20:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583853624; cv=none; d=google.com; s=arc-20160816; b=MJYU0LcdQpQtMwf3r5F/S7ZtgY6sNsjxbxwKbVSqelOJQJeJAti7mKPcNUti0fe3XL Oo5vpqaDUnwjW+d3x/TuJce2cNb007xw8H5EJsFVKujtti1knkP2TfYaVt5mwqEty7cp SslO7AxiTqaRn5lQoQIrx4MZfq3OwNQAjz9g+ZJ00eeYo21XXkxfqLanGTCtjRlOr0gC S5G/iHeq0URx/vaWEX0ldaom49YXdCXIBrf1pVsjY2QdtomIqXJ/pMRXRkQInnvpl8pR tw0+iTjMfJkslbyMoEb8QZZqlCHavcEwGEp/9h8e5sUIk8zg4+KCUr4Ycnd1uFd668Tc cCjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=xX58n7HrcqiWwfqiADHm2VC/zPfB/XyLn2w/ITZTBso=; b=TOPICxx7qGzA/zIEyINeWvLRKRsmlAPkEI7wRgYjmzPd2o/C6RZmRYgIMlgv3ypgxv RKslKkKyEbXzT0soKs5c1JOTmmcbqj21SbN5F1ME5dHQYEZZFiaYYvlDEJOgL4U8UME1 8CHKpYb6G2daM7Em6x6sKoaK1Es5vUjfzQYlNS8EHg5uR/bEe8eEXfNWmsPvpIjyQcC6 u4jtpGFU7BNLzVB7xPyvzbQ2UhnkFcEUNGGj3j+Xhv1GTqsxNs9LEvjhgGsmZpEnYL9U w6WJ8CJTF5p5963IQ2HtK9V8hEbxdzPB75P/wWULFnevC09Xf+ro7zGSSQDlUZcqRMIf swsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YWw4nos7; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h203si5903378oif.3.2020.03.10.08.19.59; Tue, 10 Mar 2020 08:20:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YWw4nos7; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727488AbgCJPT0 (ORCPT + 99 others); Tue, 10 Mar 2020 11:19:26 -0400 Received: from mail-ot1-f67.google.com ([209.85.210.67]:34151 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727481AbgCJPT0 (ORCPT ); Tue, 10 Mar 2020 11:19:26 -0400 Received: by mail-ot1-f67.google.com with SMTP id j16so13513898otl.1; Tue, 10 Mar 2020 08:19:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xX58n7HrcqiWwfqiADHm2VC/zPfB/XyLn2w/ITZTBso=; b=YWw4nos7b+hGzOMSwwJ38VHt9AgaUg0Z4LDMkDR9Z7KwabqUlEbgKD4NC+O62KLKd9 G0IqKWl2WDgQ+w2NlE9BX3RiUlnVa0XFERlBm+FRuQo4y9agaH39uFMutpT7+svV/Ocp cc++/jtIHoXVAcDea1eMt4A4nEgT95Xy0lkcRsozndacPoFMH7wbUOdO9oaIr6u540e2 AqTSqiwJ00yW49gad9fsttuNE50GaGehNizm/wEZY6N/Cjwzj6YW+Ii+pcjS8K83GLdU OA/lKNGWCMkUx5vW6BGVUdgGeZumA0lyYwQJ53hWiXNpKL/nqOfYebD26hfFMAMmqk1f 0WLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xX58n7HrcqiWwfqiADHm2VC/zPfB/XyLn2w/ITZTBso=; b=sZ03pfMu8vs2z916njkgHYWSyTxdVbZwb6D/xrH3auVmZqHpR2gqrb1y2LuOnLEJrb BgzaA0ykYPczMfKGmoehRMbM3H7M5H5cHM2BpWRcfCd7onQZ9iihBLFwqTgaKroi4aqY X8mDG/8VF6kHt912tVm5DlidW7bJHX19DIDXT3paqLsPkrdk+ySVfWKncJKrc806E6fh BFTNDilDYnmUdeXQpU5NUR2KHoa5/tcJQCjp+8/4rqRsyphuXy5j/fmVSJ5cSrNi0pHB aWBKrTiO0dexrHNEzbW6lgkSPKwqgI6EHorr8gYkqa5yyMUJ7dcrWXBv7scNV5N/Q+wy ndug== X-Gm-Message-State: ANhLgQ0mtI0a1yp6yPycteMc53V1y8lvszk0M/E47Xei+tOveUXQX1Rm 0i+KaJ3ONGGNTNRX9/94Dwsd4LvF+Iz094ye0ao= X-Received: by 2002:a9d:6e85:: with SMTP id a5mr16435956otr.89.1583853565299; Tue, 10 Mar 2020 08:19:25 -0700 (PDT) MIME-Version: 1.0 References: <20200303225837.1557210-1-smayhew@redhat.com> <6bb287d1687dc87fe9abc11d475b3b9df061f775.camel@btinternet.com> <20200304143701.GB3175@aion.usersys.redhat.com> <20200306220132.GD3175@aion.usersys.redhat.com> <46f9ffe8fa54538951dacac478c08077a744c8d7.camel@btinternet.com> In-Reply-To: <46f9ffe8fa54538951dacac478c08077a744c8d7.camel@btinternet.com> From: Stephen Smalley Date: Tue, 10 Mar 2020 11:20:13 -0400 Message-ID: Subject: Re: [PATCH] NFS: Ensure security label is set for root inode To: Richard Haines Cc: Scott Mayhew , trond.myklebust@hammerspace.com, anna.schumaker@netapp.com, bfields@fieldses.org, Paul Moore , Stephen Smalley , linux-nfs@vger.kernel.org, SElinux list , David Howells , viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Tue, Mar 10, 2020 at 9:27 AM Richard Haines wrote: > > On Mon, 2020-03-09 at 09:35 -0400, Stephen Smalley wrote: > > 2. Mount a security_label exported NFS filesystem twice, confirm that > > NFS security labeling support isn't silently disabled by trying to > > set a label on a file and confirm it is set (fixed by kernel commit > > 3815a245b50124f0865415dcb606a034e97494d4). This would go in > > tools/nfs.sh > > since it is NFS-specific. > > And another one. If you run the same mount twice using mount(2) you get > EBUSY. If you run with fsmount(2) it works. A simple test below, just > set $1 to fs for fsmount(2) I don't know if that's a bug or just an inconsistency between mount(2) and fsmount(2). Question for David, Al, and/or fsdevel (cc'd). > > Otherwise I've completed the remaining tests with no problems. > > #!/bin/sh -e > MOUNT=`stat --print %m .` > TESTDIR=`pwd` > NET="nfsvers=4.2,proto=tcp,clientaddr=127.0.0.1,addr=127.0.0.1" > > function err_exit() { > echo "Error on line: $1 - Closing down NFS" > umount /mnt/selinux-testsuite > exportfs -u localhost:$MOUNT > rmdir /mnt/selinux-testsuite > systemctl stop nfs-server > exit 1 > } > > trap 'err_exit $LINENO' ERR > > systemctl start nfs-server > exportfs -orw,no_root_squash,security_label localhost:$MOUNT > mkdir -p /mnt/selinux-testsuite > > if [ $1 ] && [ $1 = 'fs' ]; then > RUN="tests/fs_filesystem/fsmount" > else > RUN="tests/filesystem/mount" > fi > > $RUN -v -f nfs -o vers=4.2,$NET,context=system_u:object_r:etc_t:s0 -s > localhost:$TESTDIR -t /mnt/selinux-testsuite > $RUN -v -f nfs -o vers=4.2,$NET,context=system_u:object_r:etc_t:s0 -s > localhost:$TESTDIR -t /mnt/selinux-testsuite > echo "Testing context mount of a security_label export." > fctx=`secon -t -f /mnt/selinux-testsuite` > if [ "$fctx" != "etc_t" ]; then > echo "Context mount failed: got $fctx instead of etc_t." > err_exit $LINENO > fi > umount /mnt/selinux-testsuite > umount /mnt/selinux-testsuite > > echo "Done" > exportfs -u localhost:$MOUNT > rmdir /mnt/selinux-testsuite > systemctl stop nfs-server