On Mon, 2020-01-27 at 12:46 -0500, Stephen Smalley wrote: > On 1/27/20 4:32 AM, Richard Haines wrote: > > These patches update the current tests/filesystem to share code > > (patch 1) > > with the fs*(2) API filesystem tests (patch 2). > > > > V2 Changes: > > 1) If kernel patch [1] installed move_mount test for denying > > FILE__MOUNTON > > should pass. If not installed, display 'Failed as kernel 5.x > > without > > "selinux: fix regression introduced by move_mount(2) syscall" > > patch' > > (as there is a regression that should be fixed). > > Note: Kernels 5.2 - 5.5 will fail unless [1] backported. 5.6 is > > expected > > to have [1]. > > 2) Move policy changes to patch 2. > > These look ok to me; we'll see if anyone else objects to the error > message. > > One other item that occurred to me is that most of the current > filesystem and fs_filesystem tests are only exercising ext4 > regardless > of the native filesystem in which you run the testsuite (e.g. if I > run > it on a labeled NFS mount most of the tests end up running in the > ext4 > filesystem that is created and mounted rather than on labeled NFS > itself, and likewise if I run it on xfs or btrfs or ...). For tests > where it does not matter (e.g. the type_transition tests) it might > be > better to run those on the host/native filesystem directly so we can > more readily reuse those tests. Obviously the mount tests > themselves > require some other filesystem besides the one in which the testsuite > itself resides. Don't know if people may want to make it easier to > substitute or add additional filesystem types for testing; you > already > provide a fs_type variable in the test script but that requires > patching > the script and still only supports testing one filesystem type at a > time. I'll do some work on making the tests use the native filesystem and add an option to select a different one. I quess I could add a list of fs to run against from relevant proc/filesystems entries? (or something else) I had a go with xfs and found Fedora is configured by default to use the xfs quota system, however that does not call security hooks security_quota_on or security_quotactl so not worth testing, otherwise apart from increasing the block size seems okay. I also have another patch ready as I noticed that I missed these: hooks.c selinux_path_notify() FILE__WATCH_SB hooks.c selinux_path_notify() FILE__WATCH_MOUNT > > > [1] > > https://lore.kernel.org/selinux/20200117202407.12344-1-sds@xxxxxxxxxxxxx > > > > Richard Haines (2): > > selinux-testsuite: Prepare for adding fs*(2) API tests > > selinux-testsuite: Add fs*(2) API filesystem tests > > > > policy/test_filesystem.te | 18 +- > > tests/Makefile | 6 + > > tests/filesystem/Filesystem.pm | 166 ++++++ > > tests/filesystem/test | 219 ++------ > > tests/fs_filesystem/.gitignore | 3 + > > tests/fs_filesystem/Makefile | 16 + > > tests/fs_filesystem/fs_common.c | 110 ++++ > > tests/fs_filesystem/fs_common.h | 30 ++ > > tests/fs_filesystem/fsmount.c | 89 ++++ > > tests/fs_filesystem/fspick.c | 68 +++ > > tests/fs_filesystem/move_mount.c | 76 +++ > > tests/fs_filesystem/test | 835 > > +++++++++++++++++++++++++++++++ > > tools/check-syntax | 2 +- > > 13 files changed, 1455 insertions(+), 183 deletions(-) > > create mode 100644 tests/filesystem/Filesystem.pm > > create mode 100644 tests/fs_filesystem/.gitignore > > create mode 100644 tests/fs_filesystem/Makefile > > create mode 100644 tests/fs_filesystem/fs_common.c > > create mode 100644 tests/fs_filesystem/fs_common.h > > create mode 100644 tests/fs_filesystem/fsmount.c > > create mode 100644 tests/fs_filesystem/fspick.c > > create mode 100644 tests/fs_filesystem/move_mount.c > > create mode 100755 tests/fs_filesystem/test > >
