On Fri, 1 Nov 2013 16:50:00 +0000 "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> wrote: > On Fri, 2013-11-01 at 12:02 -0400, Jeff Layton wrote: > > It looks like _nfs4_get_security_label() has the same problem, but I've > > so far been unable to get it to be called, so I didn't patch it. It > > seems like getxattr does some special stuff for SELinux labels that > > cause them only to ever be fetched once. > > > > Is there some trick to it? > > > > Doesn't 'ls -Z' cause them to security label to be read again? > As best I can tell, security labels are set on the inode when the inode is instantiated, and then are reset on changes (i.e. setxattr). If another client changes the label though, it's not clear to me how your client would ever notice it until the inode is dropped from the cache. ISTR Eric Paris explaining to me that they do that for performance reasons but it seems like something that needs to be reconsidered in light of labeled NFS. Not picking up a security label change seems like a bug, IMO... > Either way, the fix is clearly needed, so I've added the patch, and Cced > stable. > Thanks! -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
