On Nov 1, 2013, at 12:57, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > On Fri, 1 Nov 2013 16:50:00 +0000 > "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> wrote: > >> On Fri, 2013-11-01 at 12:02 -0400, Jeff Layton wrote: >>> It looks like _nfs4_get_security_label() has the same problem, but I've >>> so far been unable to get it to be called, so I didn't patch it. It >>> seems like getxattr does some special stuff for SELinux labels that >>> cause them only to ever be fetched once. >>> >>> Is there some trick to it? >>> >> >> Doesn't 'ls -Z' cause them to security label to be read again? >> > > As best I can tell, security labels are set on the inode when the inode > is instantiated, and then are reset on changes (i.e. setxattr). If …and on getxattr, afaics. > another client changes the label though, it's not clear to me how your > client would ever notice it until the inode is dropped from the cache. > > ISTR Eric Paris explaining to me that they do that for performance > reasons but it seems like something that needs to be reconsidered in > light of labeled NFS. Not picking up a security label change seems like > a bug, IMO... To be effective, the security label should normally be set at file creation time. It should rarely, if ever, change. Why would you need to change it from a different client? Cheers, Trond-- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
