On Thu, Mar 18, 2021 at 5:59 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > Hello, > > While trying to figure out why the NFS tests in the selinux-testsuite > [1] are failing, I ran into this strange bug: When I mount an NFS > filesystem on some directory, and then immediately attempt to create > exactly the same mount on the same directory (fails with -EBUSY as > expected per mount(2)), then all the entries inside the mount (but not > the root node) show up as unlabeled > (system_u:object_r:unlabeled_t:s0). For some reason this doesn't > happen if I list the directory contents between the two mounts. > > It happens at least with kernels 5.12-rc2 and 5.8.6, so it's likely an old bug. > > Minimal reproducer (assumes an SELinux-enabled system and that nothing > is mounted at /etc): > ``` > # set up a trivial NFS export > systemctl start nfs-server > exportfs -o rw,no_root_squash,security_label localhost:/ > > # > # reference scenario - single mount > # > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > ls -lZ /mnt # labels are correct > ls -lZd /mnt # label is correct > > # > # double mount - BUG > # > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > ls -lZ /mnt # all labels are system_u:object_r:unlabeled_t:s0 > ls -lZd /mnt # label is correct > > # > # double mount with ls in between - OK > # > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > ls -lZ /mnt # labels are correct > ls -lZd /mnt # label is correct > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > ls -lZ /mnt # labels are correct > ls -lZd /mnt # label is correct Hi Ondrej, a couple of questions about the reproducer. (1) are you saying that only "mount, mount, ls" sequence is problematic as you write "mount, ls, mount, ls" is correct? (2) what is your selinux configuration. I can't reproduce it on my setup. I get the same labels regardless of how many times I mount. > ``` > > I haven't had time to dig deeper. Hopefully someone who knows the > internals of NFS will be able to find the root cause easier than me... > > [1] https://github.com/SELinuxProject/selinux-testsuite/ > > -- > Ondrej Mosnacek > Software Engineer, Linux Security - SELinux kernel > Red Hat, Inc. >
