On Fri, Feb 19, 2021 at 5:25 PM Olga Kornievskaia <olga.kornievskaia@xxxxxxxxx> wrote: > > From: Olga Kornievskaia <kolga@xxxxxxxxxx> > > Keep track of whether or not there were LSM security context > options passed during mount (ie creation of the superblock). > Then, while deciding if the superblock can be shared for the new > mount, check if the newly passed in LSM security context options > are compatible with the existing superblock's ones by calling > security_sb_mnt_opts_compat(). > > Previously, with selinux enabled, NFS wasn't able to do the > following 2mounts: > mount -o vers=4.2,sec=sys,context=system_u:object_r:root_t:s0 > <serverip>:/ /mnt > mount -o vers=4.2,sec=sys,context=system_u:object_r:swapfile_t:s0 > <serverip>:/scratch /scratch > > 2nd mount would fail with "mount.nfs: an incorrect mount option was > specified" and var log messages would have: > "SElinux: mount invalid. Same superblock, different security > settings for.." > > Signed-off-by: Olga Kornievskaia <kolga@xxxxxxxxxx> > --- > fs/nfs/fs_context.c | 3 +++ > fs/nfs/internal.h | 1 + > fs/nfs/super.c | 4 ++++ > include/linux/nfs_fs_sb.h | 1 + > 4 files changed, 9 insertions(+) Merged into selinux/next, thanks. -- paul moore www.paul-moore.com