On Mon, Feb 24, 2020 at 9:15 AM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > 2) There is an nfs kernel bug where the top-level mounted directory shows > up with unlabeled_t initially, then later gets refreshed to a > valid context. policy/test_filesystem.te contains allow rules to > bypass this as the bug is marked as closed - not fixed. I don't think you should allow these since it is a bug that should be fixed (just because they chose to close it without fixing doesn't mean it isn't a bug). I think nfs just needs to call nfs_setsecurity() or at least security_inode_notifysecctx() on the root inode when using native labeling before it is first used in any call to permission or exposed to userspace.
