On 1/29/20 1:44 PM, Stephen Smalley wrote:
On 1/23/20 2:34 PM, Stephen Smalley wrote:
When running the testsuite on a labeled NFS mount, certain
additional permissions are required for nfsd and its kernel threads
and for the nfs_t filesystem. Allow them to avoid unnecessary
failures on NFS. Also declare test_setfscreatecon_newcon_t as a
files_type() to ensure that it can be accessed as expected by
unconfined domains; otherwise, cleanup and repeated runs are not
guaranteed to work. Saw denials for unconfined_t and kernel_t on
test_fscreatecon_newcon_t when running over labeled NFS, but
at least the unconfined_t access was possible even for running
locally.
With these changes, all of the "filesystem" tests pass on a labeled NFS
mount.
Certain test cases are still expected to fail over NFS; see
https://github.com/SELinuxProject/selinux-testsuite/issues/32
for more details.
Test sequence for labeled NFS is:
$ cat nfs.sh
MOUNT=/home # must be a top-level mount
TESTDIR=$MOUNT/path/to/selinux-testsuite
exportfs -orw,no_root_squash,security_label localhost:$MOUNT
systemctl start nfs-server
mkdir -p /mnt/selinux-testsuite
mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
pushd /mnt/selinux-testsuite
make test
popd
umount /mnt/selinux-testsuite
exportfs -u localhost:$MOUNT
systemctl stop nfs-server
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
policy/test_filesystem.te | 8 ++++++++
policy/test_sctp.te | 18 ++++++++++++++++++
2 files changed, 26 insertions(+)
I went ahead and applied this. Further policy changes will be needed to
support testing on labeled NFS once more of the filesystem and/or
fs_filesystem tests are migrated to running in the host/native
filesystem rather than within the ext4 mount created by the test itself.
I'd like to get to the point where we can fully run the testsuite on
labeled NFS, which will require making some other tests conditional on
filesystem type. Then hopefully those who are running the testsuite
automatically could also add the above nfs.sh script or something
similar to their test harness and start exercising labeled NFS on a
regular basis to catch regressions.
Looks like my sample nfs.sh script above isn't quite right; need to
start nfs-server before the exportfs.
