Re: [PATCH] selinux: fix setting of security labels on NFS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 05, 2015 at 02:28:51PM -0400, Paul Moore wrote:
> On Thursday, June 04, 2015 03:57:25 PM J. Bruce Fields wrote:
> > From: "J. Bruce Fields" <bfields@xxxxxxxxxx>
> > 
> > Before calling into the filesystem, vfs_setxattr calls
> > security_inode_setxattr, which ends up calling selinux_inode_setxattr in
> > our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
> > SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
> > only if selinux_is_sblabel_mnt returns true.
> > 
> > The selinux_is_sblabel_mnt logic was broken by eadcabc697e9 "SELinux: do
> > all flags twiddling in one place", which didn't take into the account
> > the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
> > with eb9ae686507b "SELinux: Add new labeling type native labels".
> > 
> > This caused setxattr's of security labels over NFSv4.2 to fail.
> > 
> > Cc: stable@xxxxxxxxxx
> > Cc: Eric Paris <eparis@xxxxxxxxxx>
> > Cc: David Quigley <dpquigl@xxxxxxxxxxxxxxx>
> > Reported-by: Richard Chan <rc556677@xxxxxxxxxxx>
> > Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx>
> > ---
> >  security/selinux/hooks.c | 1 +
> >  1 file changed, 1 insertion(+)
> 
> Applied, thanks.

Thanks!

> In the future, you don't have to worry about marking it for 
> stable, I'll take care of that when I merge it into the tree.

OK.  With roles reversed, I usually appreciate the stable tag from
submitters, just as a statement of their opinion as to whether it's
stable-worthy, which can always be overridden.

(I mean, this one seems obvious enough--one-liner, fixes a user-visible
regression--but in more complicated cases their opinion might be
useful.)

By the way, I suspect this requires (obvious) fixups to apply to some
older kernels, let me know if help's needed there.

--b.

> 
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index e8a060bd9677..171fb30e4b99 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -403,6 +403,7 @@ static int selinux_is_sblabel_mnt(struct super_block
> > *sb) return sbsec->behavior == SECURITY_FS_USE_XATTR ||
> >  		sbsec->behavior == SECURITY_FS_USE_TRANS ||
> >  		sbsec->behavior == SECURITY_FS_USE_TASK ||
> > +		sbsec->behavior == SECURITY_FS_USE_NATIVE ||
> >  		/* Special handling. Genfs but also in-core setxattr handler */
> >  		!strcmp(sb->s_type->name, "sysfs") ||
> >  		!strcmp(sb->s_type->name, "pstore") ||
> 
> -- 
> paul moore
> www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux