On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote: > #regzbot introduced v6.1.52..v6.1.53 > #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b > > We hit this regression when updating our guest vm kernel from 6.1.52 to > 6.1.53 -- bisecting this problem was introduced > in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount > superblock LSM init problem, preventing NFS sb sharing -- > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.53&id=ed134f284b4ed85a70d5f760ed0686e3cd555f9b > > We're getting an EINVAL in `selinux_set_mnt_opts` in > `security/selinux/hooks.c` when mounting a folder in a guest VM where > selinux is disabled. We're mounting from another folder that we suspect has > selinux labels set from the host. The EINVAL is getting set in the > following block... > ``` > if (!selinux_initialized(&selinux_state)) { > if (!opts) { > /* Defer initialization until selinux_complete_init, > after the initial policy is loaded and the security > server is ready to handle calls. */ > goto out; > } > rc = -EINVAL; > pr_warn("SELinux: Unable to set superblock options " > "before the security server is initialized\n"); > goto out; > } > ``` > We can reproduce 100% of the time but don't currently have a simple > reproducer as the problem was found in our build service which uses > kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk). > > We have not checked the mainline as we currently are tied to 6.1.x. > > -Simon This sounds very similar to the bug that Ondrej fixed here: https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@xxxxxxxxxx/ You may want to try that patch and see if it helps. -- Jeff Layton <jlayton@xxxxxxxxxx>
