Commit 9fc2b4b4 authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Paul Moore

selinux: fix setting of security labels on NFS

Before calling into the filesystem, vfs_setxattr calls
security_inode_setxattr, which ends up calling selinux_inode_setxattr in
our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
only if selinux_is_sblabel_mnt returns true.

The selinux_is_sblabel_mnt logic was broken by eadcabc6 "SELinux: do
all flags twiddling in one place", which didn't take into the account
the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
with eb9ae686 "SELinux: Add new labeling type native labels".

This caused setxattr's of security labels over NFSv4.2 to fail.

Cc: stable@kernel.org # 3.13
Cc: Eric Paris <eparis@redhat.com>
Cc: David Quigley <dpquigl@davequigley.com>
Reported-by: default avatarRichard Chan <rc556677@outlook.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
[PM: added the stable dependency]
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 42a9699a
...@@ -403,6 +403,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb) ...@@ -403,6 +403,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
return sbsec->behavior == SECURITY_FS_USE_XATTR || return sbsec->behavior == SECURITY_FS_USE_XATTR ||
sbsec->behavior == SECURITY_FS_USE_TRANS || sbsec->behavior == SECURITY_FS_USE_TRANS ||
sbsec->behavior == SECURITY_FS_USE_TASK || sbsec->behavior == SECURITY_FS_USE_TASK ||
sbsec->behavior == SECURITY_FS_USE_NATIVE ||
/* Special handling. Genfs but also in-core setxattr handler */ /* Special handling. Genfs but also in-core setxattr handler */
!strcmp(sb->s_type->name, "sysfs") || !strcmp(sb->s_type->name, "sysfs") ||
!strcmp(sb->s_type->name, "pstore") || !strcmp(sb->s_type->name, "pstore") ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment