On 1/23/20 2:34 PM, Stephen Smalley wrote:
When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. With these changes, all of the "filesystem" tests pass on a labeled NFS mount. Certain test cases are still expected to fail over NFS; see https://github.com/SELinuxProject/selinux-testsuite/issues/32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$MOUNT systemctl stop nfs-server Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- policy/test_filesystem.te | 8 ++++++++ policy/test_sctp.te | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+)
I went ahead and applied this. Further policy changes will be needed to support testing on labeled NFS once more of the filesystem and/or fs_filesystem tests are migrated to running in the host/native filesystem rather than within the ext4 mount created by the test itself. I'd like to get to the point where we can fully run the testsuite on labeled NFS, which will require making some other tests conditional on filesystem type. Then hopefully those who are running the testsuite automatically could also add the above nfs.sh script or something similar to their test harness and start exercising labeled NFS on a regular basis to catch regressions.
