When files on NFSv4 server are not properly labeled (label doesn't match a policy on a client) they will end up with unlabeled_t type which is too generic. We would like to be able to set a default context per mount. 'defcontext' mount option looks like a nice solution, but it doesn't seem to be fully implemented for native labeling. Default context is stored, but is never used.
The patch adds a fallback to a default context if a received context is invalid. If the inode context is already initialized, then it is left untouched to preserve a context set locally on a client. Signed-off-by: Taras Kondratiuk <[email protected]> --- security/selinux/hooks.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..f7debe798bf5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6598,7 +6598,30 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) */ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) { - return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); + struct superblock_security_struct *sbsec; + struct inode_security_struct *isec; + int rc; + + rc = selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0); + + /* + * In case of Native labeling with defcontext mount option fall back + * to a default SID if received context is invalid. + */ + if (rc == -EINVAL) { + sbsec = inode->i_sb->s_security; + if (sbsec->behavior == SECURITY_FS_USE_NATIVE && + sbsec->flags & DEFCONTEXT_MNT) { + isec = inode->i_security; + if (!isec->initialized) { + isec->sclass = inode_mode_to_security_class(inode->i_mode); + isec->sid = sbsec->def_sid; + isec->initialized = 1; + } + rc = 0; + } + } + return rc; } /* -- 2.10.3.dirty _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
