When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. With these changes, all of the "filesystem" tests pass on a labeled NFS mount. Certain test cases are still expected to fail over NFS; see https://github.com/SELinuxProject/selinux-testsuite/issues/32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$TESTDIR systemctl stop nfs-server Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- policy/test_filesystem.te | 8 ++++++++ policy/test_sctp.te | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index a029a1b34404..c3c944affad4 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -41,6 +41,9 @@ files_search_all(test_filesystem_t) fs_associate(test_filesystem_file_t) fs_getattr_xattr_fs(test_filesystem_t) +# Required when running the tests on a labeled NFS mount. +fs_getattr_nfs(test_filesystem_t) + # Update quotas fs_set_all_quotas(test_filesystem_t) allow test_filesystem_t test_filesystem_file_t:file { quotaon }; @@ -303,10 +306,15 @@ allow test_setfscreatecon_t test_file_t:dir { add_name write remove_name }; # Set new context on fs: type test_setfscreatecon_newcon_t; +files_type(test_setfscreatecon_newcon_t) unconfined_runs_test(test_setfscreatecon_newcon_t) fs_associate(test_setfscreatecon_newcon_t) allow test_setfscreatecon_t test_setfscreatecon_newcon_t:dir { create getattr rmdir }; +# Permit creation of the new file in a NFS filesystem. +# This is required when running the testsuite on a labeled NFS mount. +allow test_setfscreatecon_newcon_t nfs_t:filesystem associate; + ################# deny process { setfscreate } ############# type test_no_setfscreatecon_t; domain_type(test_no_setfscreatecon_t) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index aedd3a01ba66..df8606ec7a35 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -12,6 +12,15 @@ type netlabel_sctp_peer_t; corenet_in_generic_node(netlabel_sctp_peer_t) corenet_in_generic_if(netlabel_sctp_peer_t) +# Permit nfsd and its kernel threads to receive these packets. +# This is required when running the testsuite on a labeled NFS mount. +gen_require(` + type kernel_t; + type nfsd_t; +') +allow kernel_t netlabel_sctp_peer_t:peer recv; +allow nfsd_t netlabel_sctp_peer_t:peer recv; + # Default label for CIPSO/CALIPSO: gen_require(` type netlabel_peer_t; @@ -89,6 +98,15 @@ allow test_sctp_client_t deny_assoc_sctp_peer_t:peer {recv }; corenet_inout_generic_node(deny_assoc_sctp_peer_t) corenet_inout_generic_if(deny_assoc_sctp_peer_t) +# Permit nfsd and its kernel threads to receive these packets. +# This is required when running the testsuite on a labeled NFS mount. +gen_require(` + type kernel_t; + type nfsd_t; +') +allow kernel_t deny_assoc_sctp_peer_t:peer recv; +allow nfsd_t deny_assoc_sctp_peer_t:peer recv; + # ############################# Connectx ################################# # -- 2.24.1
