[PATCH v3 3/3] NFSv4 account for selinux security context when deciding to share superblock
Paul Moore
paul at paul-moore.com
Mon Mar 22 19:04:07 UTC 2021
On Fri, Feb 19, 2021 at 5:25 PM Olga Kornievskaia
<olga.kornievskaia at gmail.com> wrote:
>
> From: Olga Kornievskaia <kolga at netapp.com>
>
> Keep track of whether or not there were LSM security context
> options passed during mount (ie creation of the superblock).
> Then, while deciding if the superblock can be shared for the new
> mount, check if the newly passed in LSM security context options
> are compatible with the existing superblock's ones by calling
> security_sb_mnt_opts_compat().
>
> Previously, with selinux enabled, NFS wasn't able to do the
> following 2mounts:
> mount -o vers=4.2,sec=sys,context=system_u:object_r:root_t:s0
> <serverip>:/ /mnt
> mount -o vers=4.2,sec=sys,context=system_u:object_r:swapfile_t:s0
> <serverip>:/scratch /scratch
>
> 2nd mount would fail with "mount.nfs: an incorrect mount option was
> specified" and var log messages would have:
> "SElinux: mount invalid. Same superblock, different security
> settings for.."
>
> Signed-off-by: Olga Kornievskaia <kolga at netapp.com>
> ---
> fs/nfs/fs_context.c | 3 +++
> fs/nfs/internal.h | 1 +
> fs/nfs/super.c | 4 ++++
> include/linux/nfs_fs_sb.h | 1 +
> 4 files changed, 9 insertions(+)
Merged into selinux/next, thanks.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list