On Thu, Mar 18, 2021 at 2:43 PM Olga Kornievskaia <aglo@xxxxxxxxx> wrote: > On Thu, Mar 18, 2021 at 5:59 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > Hello, > > > > While trying to figure out why the NFS tests in the selinux-testsuite > > [1] are failing, I ran into this strange bug: When I mount an NFS > > filesystem on some directory, and then immediately attempt to create > > exactly the same mount on the same directory (fails with -EBUSY as > > expected per mount(2)), then all the entries inside the mount (but not > > the root node) show up as unlabeled > > (system_u:object_r:unlabeled_t:s0). For some reason this doesn't > > happen if I list the directory contents between the two mounts. > > > > It happens at least with kernels 5.12-rc2 and 5.8.6, so it's likely an old bug. > > > > Minimal reproducer (assumes an SELinux-enabled system and that nothing > > is mounted at /etc): > > ``` > > # set up a trivial NFS export > > systemctl start nfs-server > > exportfs -o rw,no_root_squash,security_label localhost:/ > > > > # > > # reference scenario - single mount > > # > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > > ls -lZ /mnt # labels are correct > > ls -lZd /mnt # label is correct > > > > # > > # double mount - BUG > > # > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > > ls -lZ /mnt # all labels are system_u:object_r:unlabeled_t:s0 > > ls -lZd /mnt # label is correct > > > > # > > # double mount with ls in between - OK > > # > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > ls -lZ /mnt # labels are correct > > ls -lZd /mnt # label is correct > > mount -t nfs -o "nfsvers=4.2" localhost:/etc /mnt > > > > ls -lZ /mnt # labels are correct > > ls -lZd /mnt # label is correct > > Hi Ondrej, a couple of questions about the reproducer. (1) are you > saying that only "mount, mount, ls" sequence is problematic as you > write "mount, ls, mount, ls" is correct? (2) what is your selinux > configuration. I can't reproduce it on my setup. I get the same labels > regardless of how many times I mount. (1) Yes, exactly. (2) I reproduced it reliably on clean Fedora VM images (e.g. Fedora 33 or Rawhide, both showed this bug). > > > > ``` > > > > I haven't had time to dig deeper. Hopefully someone who knows the > > internals of NFS will be able to find the root cause easier than me... > > > > [1] https://github.com/SELinuxProject/selinux-testsuite/ > > > > -- > > Ondrej Mosnacek > > Software Engineer, Linux Security - SELinux kernel > > Red Hat, Inc. > > > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
