Hello, While trying to figure out why the NFS tests in the selinux-testsuite [1] are failing, I ran into this strange bug: When I mount an NFS filesystem on some directory, and then immediately attempt to create exactly the same mount on the same directory (fails with -EBUSY as expected per mount(2)), then all the entries inside the mount (but not the root node) show up as unlabeled (system_u:object_r:unlabeled_t:s0). For some reason this doesn't happen if I list the directory contents between the two mounts. It happens at least with kernels 5.12-rc2 and 5.8.6, so it's likely an old bug. Minimal reproducer (assumes an SELinux-enabled system and that nothing is mounted at /etc): ``` # set up a trivial NFS export systemctl start nfs-server exportfs -o rw,no_root_squash,security_label localhost:/ # # reference scenario - single mount # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt ls -lZ /mnt # labels are correct ls -lZd /mnt # label is correct # # double mount - BUG # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt ls -lZ /mnt # all labels are system_u:object_r:unlabeled_t:s0 ls -lZd /mnt # label is correct # # double mount with ls in between - OK # mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt ls -lZ /mnt # labels are correct ls -lZd /mnt # label is correct mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt ls -lZ /mnt # labels are correct ls -lZd /mnt # label is correct ``` I haven't had time to dig deeper. Hopefully someone who knows the internals of NFS will be able to find the root cause easier than me... [1] https://github.com/SELinuxProject/selinux-testsuite/ -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
