linux/security/selinux/include
Ondrej Mosnacek cec5fe7007 selinux: make labeled NFS work when mounted before policy load
Currently, when an NFS filesystem that supports passing LSM/SELinux
labels is mounted during early boot (before the SELinux policy is
loaded), it ends up mounted without the labeling support (i.e. with
Fedora policy all files get the generic NFS label
system_u:object_r:nfs_t:s0).

This is because the information that the NFS mount supports passing
labels (communicated to the LSM layer via the kern_flags argument of
security_set_mnt_opts()) gets lost and when the policy is loaded the
mount is initialized as if the passing is not supported.

Fix this by noting the "native labeling" in newsbsec->flags (using a new
SE_SBNATIVE flag) on the pre-policy-loaded call of
selinux_set_mnt_opts() and then making sure it is respected on the
second call from delayed_superblock_init().

Additionally, make inode_doinit_with_dentry() initialize the inode's
label from its extended attributes whenever it doesn't find it already
intitialized by the filesystem. This is needed to properly initialize
pre-existing inodes when delayed_superblock_init() is called. It should
not trigger in any other cases (and if it does, it's still better to
initialize the correct label instead of leaving the inode unlabeled).

Fixes: eb9ae68650 ("SELinux: Add new labeling type native labels")
Tested-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
[PM: fixed 'Fixes' tag format]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-05-30 17:44:34 -04:00
..
audit.h selinux: adjust typos in comments 2023-05-08 16:44:01 -04:00
avc_ss.h selinux: stop passing selinux_state pointers and their offspring 2023-03-14 15:22:45 -04:00
avc.h selinux: avc: drop unused function avc_disable() 2023-05-08 16:45:36 -04:00
classmap.h lsm/stable-6.1 PR 20221003 2022-10-03 17:51:52 -07:00
conditional.h selinux: stop passing selinux_state pointers and their offspring 2023-03-14 15:22:45 -04:00
ibpkey.h selinux: make header files self-including 2023-05-18 14:12:43 -04:00
ima.h selinux: adjust typos in comments 2023-05-08 16:44:01 -04:00
initial_sid_to_string.h selinux: make header files self-including 2023-05-18 14:12:43 -04:00
netif.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
netlabel.h security: pass asoc to sctp_assoc_request and sctp_sk_clone 2021-11-03 11:09:20 +00:00
netnode.h selinux: include necessary headers in headers 2022-05-03 14:11:13 -04:00
netport.h selinux: include necessary headers in headers 2022-05-03 14:11:13 -04:00
objsec.h LSM: Infrastructure management of the superblock 2021-04-22 12:22:10 -07:00
policycap_names.h selinux: declare data arrays const 2022-05-03 15:53:49 -04:00
policycap.h selinux: declare data arrays const 2022-05-03 15:53:49 -04:00
security.h selinux: make labeled NFS work when mounted before policy load 2023-05-30 17:44:34 -04:00
xfrm.h selinux: include necessary headers in headers 2022-05-03 14:11:13 -04:00