On 09/23/2014 01:40 AM, Qu Wenruo wrote: > [BUG] > Originally when mount btrfs with "-o subvol=" mount option, btrfs will > lose all security lable. > And if the btrfs fs is mounted somewhere else, due to the lost of > security lable, SELinux will refuse to mount since the same super block > is being mounted using different security lable. > > [REPRODUCER] > With SELinux enabled: > #mkfs -t btrfs /dev/sda5 > #mount -o context=system_u:object_r:nfs_t:s0 /dev/sda5 /mnt/btrfs > #btrfs subvolume create /mnt/btrfs/subvol > #mount -o subvol=subvol,context=system_u:object_r:nfs_t:s0 /dev/sda5 > /mnt/test > > kernel message: > SELinux: mount invalid. Same superblock, different security settings > for (dev sda5, type btrfs) > > [REASON] > This happens because btrfs will call vfs_kern_mount() and then > mount_subtree() to handle subvolume name lookup. > First mount will cut off all the security lables and when it comes to > the second vfs_kern_mount(), it has no security label now. > > [FIX] > This patch will makes btrfs behavior much more like nfs, > which has the type flag FS_BINARY_MOUNTDATA, > making btrfs handles the security label internally. > So security label will be set in the real mount time and won't lose > label when use with "subvol=" mount option.
Thanks for working on this. Eric Sandeen (cc'd) was trying out something similar recently, so I want to make sure this doesn't conflict with his ideas. -chris -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
