On Wed, Mar 4, 2020 at 9:37 AM Scott Mayhew <smayhew@xxxxxxxxxx> wrote: > > On Wed, 04 Mar 2020, Richard Haines wrote: > > I built and tested this patch on selinux-next (note that the NFS module > > is a few patches behind). > > The unlabeled problem is solved, however using: > > > > mount -t nfs -o > > vers=4.2,rootcontext=system_u:object_r:test_filesystem_file_t:s0 > > localhost:$TESTDIR /mnt/selinux-testsuite > > > > I get the message: > > mount.nfs: an incorrect mount option was specified > > with a log entry: > > SELinux: mount invalid. Same superblock, different security > > settings for (dev 0:42, type nfs) > > > > If I use "fscontext=" instead then works okay. Using no context option > > also works. I guess the rootcontext= option should still work ??? > > Thanks for testing. It definitely wasn't my intention to break > anything, so I'll look into it. I'm not sure that rootcontext= should be supported or is supportable over labeled NFS. It's primary use case is to allow assigning a specific context other than the default policy-defined one to the root directory for filesystems that support labeling but don't have existing labels on their root directories, e.g. tmpfs mounts. Even if we set the rootcontext based on rootcontext= during mount(2), it would likely get overridden by subsequent attribute fetches from the server I would think (e.g. it probably already switches to the context from the server after 30 seconds or so?). As long as the separate context= option continues to work correctly on NFS, I'm not overly concerned about this. I should note that we are getting similar errors though when trying to specify any context-related mount options on NFS via the new fsconfig(2) system call, see https://github.com/SELinuxProject/selinux-kernel/issues/49 I don't know if this change in when security_sb_set_mnt_opts() will alter that situation any. Also, FYI, we have recently made it possible to run the selinux-testsuite without errors within a labeled NFS mount. If you clone https://github.com/SELinuxProject/selinux-testsuite/ and follow the README.md instructions including the NFS section and run ./tools/nfs.sh, it will export and mount the testsuite directory via labeled NFS over loopback and run all tests that can be supported over NFS, and then runs a few specific tests for context= mount options (but not the other mount options at present). It still needs some further enhancements as per https://github.com/SELinuxProject/selinux-testsuite/issues/32#issuecomment-582992492 but it at least provides some degree of regression testing.
