On 10/8/19 5:30 PM, Paul Moore wrote:
On Mon, Sep 30, 2019 at 10:07 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On 9/30/19 9:16 AM, Ondrej Mosnacek wrote:
Add a test that verifies that SELinux permissions are not checked when
mounting submounts. The test sets up a simple local NFS export on a
directory which has another filesystem mounted on its subdirectory.
Since the export is set up with the crossmnt option enabled, any client
mount will try to transparently mount any subdirectory that has a
filesystem mounted on it on the server, triggering an internal mount.
The test tries to access the automounted part of this export via a
client mount without having a permission to mount filesystems, expecting
it to succeed.
The original bug this test is checking for has been fixed in kernel
commit 892620bb3454 ("selinux: always allow mounting submounts"), which
has been backported to 4.9+ stable kernels.
The test first checks whether it is able to export and mount directories
via NFS and skips the actual tests if e.g. NFS daemon is not running.
This means that the testsuite can still be run without having the NFS
server installed and running.
1) We have to manually start nfs-server in order for the test to run;
else it will be skipped automatically. Do we want to start/stop the
nfs-server as part of the test script?
My two cents are that I'm not sure we want to automatically start/stop
the NFS server with the usual "make test", perhaps we have a dedicated
NFS test target that does the setup-test-shutdown? Other ideas are
welcome.
I guess my concern is that anything that doesn't run with the default
make test probably won't get run at all with any regularity. For
something that requires specialized hardware (e.g. InfiniBand), this is
reasonable but that isn't true of NFS. For the more analogous cases of
e.g. labeled IPSEC, NetLabel, SECMARK, we already load and unload
network configurations for the testsuite during testing.
