Re: [PATCH] nfs: fix oops when trying to set SELinux label

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 1 Nov 2013 17:05:08 +0000
"Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> wrote:

> 
> On Nov 1, 2013, at 12:57, Jeff Layton <jlayton@xxxxxxxxxx> wrote:
> 
> > On Fri, 1 Nov 2013 16:50:00 +0000
> > "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> wrote:
> > 
> >> On Fri, 2013-11-01 at 12:02 -0400, Jeff Layton wrote:
> >>> It looks like _nfs4_get_security_label() has the same problem, but I've
> >>> so far been unable to get it to be called, so I didn't patch it. It
> >>> seems like getxattr does some special stuff for SELinux labels that
> >>> cause them only to ever be fetched once.
> >>> 
> >>> Is there some trick to it?
> >>> 
> >> 
> >> Doesn't 'ls -Z' cause them to security label to be read again?
> >> 
> > 
> > As best I can tell, security labels are set on the inode when the inode
> > is instantiated, and then are reset on changes (i.e. setxattr). If
> 
> …and on getxattr, afaics.
> 

I don't see that. The call chain is something like this:

vfs_getxattr
  xattr_getsecurity
    security_inode_getsecurity
       selinux_inode_getsecurity

...and that function looks like it just converts the current security
context on the inode to text and plops that into the buffer.

> > another client changes the label though, it's not clear to me how your
> > client would ever notice it until the inode is dropped from the cache.
> > 
> > ISTR Eric Paris explaining to me that they do that for performance
> > reasons but it seems like something that needs to be reconsidered in
> > light of labeled NFS. Not picking up a security label change seems like
> > a bug, IMO...
> 
> To be effective, the security label should normally be set at file creation time. It should rarely, if ever, change. Why would you need to change it from a different client?
> 

At least in Fedora, there are SELinux policy changes all the time.
Sometimes that involves changing how files are labeled. I don't think
it's reasonable to assume that they only get set at creation time.

-- 
Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux