On Wed, Oct 9, 2019 at 4:01 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Wed, Oct 9, 2019 at 9:53 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > On 10/8/19 5:30 PM, Paul Moore wrote:
> > > On Mon, Sep 30, 2019 at 10:07 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > >> On 9/30/19 9:16 AM, Ondrej Mosnacek wrote:
> > >>> Add a test that verifies that SELinux permissions are not checked when
> > >>> mounting submounts. The test sets up a simple local NFS export on a
> > >>> directory which has another filesystem mounted on its subdirectory.
> > >>> Since the export is set up with the crossmnt option enabled, any client
> > >>> mount will try to transparently mount any subdirectory that has a
> > >>> filesystem mounted on it on the server, triggering an internal mount.
> > >>> The test tries to access the automounted part of this export via a
> > >>> client mount without having a permission to mount filesystems, expecting
> > >>> it to succeed.
> > >>>
> > >>> The original bug this test is checking for has been fixed in kernel
> > >>> commit 892620bb3454 ("selinux: always allow mounting submounts"), which
> > >>> has been backported to 4.9+ stable kernels.
> > >>>
> > >>> The test first checks whether it is able to export and mount directories
> > >>> via NFS and skips the actual tests if e.g. NFS daemon is not running.
> > >>> This means that the testsuite can still be run without having the NFS
> > >>> server installed and running.
> > >>
> > >> 1) We have to manually start nfs-server in order for the test to run;
> > >> else it will be skipped automatically. Do we want to start/stop the
> > >> nfs-server as part of the test script?
> > >
> > > My two cents are that I'm not sure we want to automatically start/stop
> > > the NFS server with the usual "make test", perhaps we have a dedicated
> > > NFS test target that does the setup-test-shutdown? Other ideas are
> > > welcome.
> >
> > I guess my concern is that anything that doesn't run with the default
> > make test probably won't get run at all with any regularity.
>
> FWIW, I think I'm the only one regularly running the tests on upstream
> kernels and reporting the results. RH was running the tests at one
> point, and may still be doing so, but I have no idea what kernels they
> are testing (maybe just RHEL, stable Fedora, etc.) and what their
> process is when they find failures.
We do still run the selinux-testsuite nightly on Fedora Rawhide with
your kernel-secnext kernel builds (I suppose we fetch them from COPR).
I can't really describe what we do when they fail, because that hardly
ever happens now :) But if we came across a failure that would suggest
a bug, we would certainly investigate and report it.
The testsuite is now also being run as part of CKI
(https://github.com/cki-project), which AFAIK currently runs regularly
on linux-stable kernels (the results are posted publicly to
stable@xxxxxxxxxxxxxxx). I don't follow these reports closely, so I'm
not sure if there were any non-false-positive failures there...
>
> I also try to enable everything that I can enable for my test runs.
> Thanks to Mellanox I can even run the IB tests.
>
> > For
> > something that requires specialized hardware (e.g. InfiniBand), this is
> > reasonable but that isn't true of NFS. For the more analogous cases of
> > e.g. labeled IPSEC, NetLabel, SECMARK, we already load and unload
> > network configurations for the testsuite during testing.
>
> That's a good point about the other networking tests. My gut feeling
> tells me that NFS should be "different", but I guess I can't really
> justify that statement in an objectively meaningful way.
I think the main reason why I didn't include NFS server starting was
that I don't know how to do it robustly across distros... Already on
RHEL the service name varies ("nfs-server" vs. just "nfs") and then
there is "service xyz start" vs. "systemctl start xyz"...
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
