On Mon, Mar 13, 2017 at 12:02:26PM +0800, Eryu Guan wrote: > On Fri, Mar 10, 2017 at 04:50:48PM -0800, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > > > If SELinux is enabled, xfstests mounts its filesystems with > > "-o context=system_u:object_r:nfs_t:s0" so that no SELinux xattrs get > > created and interfere with tests. However, this particular context is > > not guaranteed to be available because the context names are a detail of > > the SELinux policy. The SELinux policy on Android systems, for example, > > does not have a context with this name. > > > > To fix this, just grab the SELinux context of the root directory. This > > is arbitrary, but it should always provide a valid context. And any > > valid context *should* be okay (i.e. we don't necessarily need a > > "liberal" one), since one would likely encounter many other problems if > > they were to run xfstests in a confined context with SELinux in > > enforcing mode. > > > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> > > SELINUX_MOUNT_OPTIONS has just been updated to be configurable, you can > set your own SELINUX_MOUNT_OPTIONS to override the default one, does > this work for you? > > d8b1dc1 common/config: make SELinux protection conditional > > Thanks, > Eryu Oh, I didn't notice this. It looks like Gwendal ran into the same problem, but on ChromeOS instead of Android. The problem can indeed be solved by overriding SELINUX_MOUNT_OPTIONS. But I think auto-detecting a valid context is better because then xfstests will just work without having to override SELINUX_MOUNT_OPTIONS. An exception would be that if for some reason someone actually wants to run xfstests in some particular SELinux context (maybe one they've set up specifically for xfstests), then they'd likely need to specify a particular context when mounting. How about just doing it both ways: use SELINUX_MOUNT_OPTIONS in the environment if set, otherwise mount with an auto-detected valid context? Eric -- To unsubscribe from this list: send the line "unsubscribe fstests" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
