On Fri, Mar 6, 2020 at 5:01 PM Scott Mayhew <smayhew@xxxxxxxxxx> wrote: > > On Wed, 04 Mar 2020, Stephen Smalley wrote: > > I'm not sure that rootcontext= should be supported or is supportable > > over labeled NFS. > > Should rootcontext= be supported for NFS versions < 4.2? If not then > maybe it that option should be rejected for nfs and nfs4 fstypes in > selinux_set_mnt_opts(). Looks like it gets ignored currently? $ sudo exportfs -orw,no_root_squash localhost:/home $ sudo mkdir -p /mnt/selinux-testsuite $ sudo mount -t nfs -o vers=4.0,rootcontext=system_u:object_r:etc_t:s0 localhost:/home/sds/selinux-testsuite /mnt/selinux-testsuite $ ls -Zd /mnt/selinux-testsuite system_u:object_r:nfs_t:s0 /mnt/selinux-testsuite $ mount | grep testsuite localhost:/home/sds/selinux-testsuite on /mnt/selinux-testsuite type nfs4 (rw,relatime,rootcontext=system_u:object_r:etc_t:s0,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp6,timeo=600,retrans=2,sec=sys,clientaddr=::1,local_lock=none,addr=::1) I don't think we need to support it, but I don't know if we explicitly need to test and reject it for nfs/nfs4. > > It's primary use case is to allow assigning a specific context other > > than the default policy-defined one > > to the root directory for filesystems that support labeling but don't > > have existing labels on their root > > directories, e.g. tmpfs mounts. Even if we set the rootcontext based > > on rootcontext= during mount(2), > > it would likely get overridden by subsequent attribute fetches from > > the server I would think (e.g. it probably > > already switches to the context from the server after 30 seconds or > > Yes, that's what happens. If we wanted to retain that behavior moving > forward, then we need to avoid calling nfs_setsecurity() for the root > inode when the rootcontext= option was used. To do that, I think we'd > need to add a flag that could be passed back to NFS via the > set_kern_flags parameter of selinux_set_mnt_opts(). Doesn't seem justified. > > so?). As long as the separate context= option > > continues to work correctly on NFS, I'm not overly concerned about this. > > Yep, the context= option still works. Great, then I have no objections to this patch.
