On 28.09.23 16:43, Simon Kaegi wrote: > Thanks Jeff. I've confirmed that Ondrej's patch fixes the issue we > were having. Definitely would be great to get this in 6.1.x. soon. That patch afaics is already part of 6.1.55 #regzbot fix: 978b86fbdb2acf69 HTH! Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page. > On Wed, Sep 27, 2023 at 4:21 PM Jeff Layton <jlayton@xxxxxxxxxx> wrote: >> >> On Wed, 2023-09-27 at 15:55 -0400, Simon Kaegi wrote: >>> #regzbot introduced v6.1.52..v6.1.53 >>> #regzbot introduced: ed134f284b4ed85a70d5f760ed0686e3cd555f9b >>> >>> We hit this regression when updating our guest vm kernel from 6.1.52 to >>> 6.1.53 -- bisecting this problem was introduced >>> in ed134f284b4ed85a70d5f760ed0686e3cd555f9b -- vfs, security: Fix automount >>> superblock LSM init problem, preventing NFS sb sharing -- >>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.53&id=ed134f284b4ed85a70d5f760ed0686e3cd555f9b >>> >>> We're getting an EINVAL in `selinux_set_mnt_opts` in >>> `security/selinux/hooks.c` when mounting a folder in a guest VM where >>> selinux is disabled. We're mounting from another folder that we suspect has >>> selinux labels set from the host. The EINVAL is getting set in the >>> following block... >>> ``` >>> if (!selinux_initialized(&selinux_state)) { >>> if (!opts) { >>> /* Defer initialization until selinux_complete_init, >>> after the initial policy is loaded and the security >>> server is ready to handle calls. */ >>> goto out; >>> } >>> rc = -EINVAL; >>> pr_warn("SELinux: Unable to set superblock options " >>> "before the security server is initialized\n"); >>> goto out; >>> } >>> ``` >>> We can reproduce 100% of the time but don't currently have a simple >>> reproducer as the problem was found in our build service which uses >>> kata-containers (with cloud-hypervisor and rootfs mounted via virtio-blk). >>> >>> We have not checked the mainline as we currently are tied to 6.1.x. >>> >>> -Simon >> >> This sounds very similar to the bug that Ondrej fixed here: >> >> https://lore.kernel.org/selinux/20230911142358.883728-1-omosnace@xxxxxxxxxx/ >> >> You may want to try that patch and see if it helps. >> -- >> Jeff Layton <jlayton@xxxxxxxxxx> > >
