Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of https://github.com/SELinuxProject/selinux-testsuite/issues/32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- README.md | 41 +++++++++++++++++++++++++++++++++++++++++ defconfig | 10 ++++++++++ nfs.sh | 13 +++++++++++++ 3 files changed, 64 insertions(+) create mode 100755 nfs.sh diff --git a/README.md b/README.md index 4352796edb2d..25ffe1233a2d 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,47 @@ the tests: tests/infiniband_pkey/ibpkey_test.conf tests/infiniband_endport/ibendport_test.conf +#### NFS + +It is possible to run most of the tests within a labeled NFS mount in +order to exercise the NFS security labeling functionality. Certain +tests have been excluded from such testing due to differences between +NFS and local filesystems; these tests will be automatically skipped. + +You will need to install an additional package, the package below +is for Fedora/RHEL but other Linux distributions should have a similar +package: + +* nfs-utils _(for `nfsd', `exportfs', and other NFS-related programs)_ + +On a modern Fedora system you can install this dependency with the +following command: + + # dnf install nfs-utils + +If your distribution does not use systemd as its init system, you will +need to customize the nfs.sh script found in this directory to +correctly start and stop the nfs server. You may also choose to not +start/stop the nfs-server as part of the script by removing those lines +if you are already using NFS for other reasons. + +Before running the tests in a labeled NFS mount, first ensure that you +can run them successfully on a local filesystem following the standard +instructions further below. Any failures that occur on a local +filesystem should also typically be expected when running over NFS. + +To run the tests within a labeled NFS mount, you can run the +nfs.sh script while in the selinux-testsuite directory: + + # cd selinux-testsuite + # ./nfs.sh + +The script will start the nfs-server, export the mount containing the +testsuite directory with the security_label option to localhost, mount +it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory, +and run the testsuite there. After completion, it will unmount and +unexport the mount and then stop the nfs-server. + ## Running the Tests Create a shell with the `unconfined_r` or `sysadm_r` role and the Linux diff --git a/defconfig b/defconfig index 7cb6a2ca7f71..8419e40b79dc 100644 --- a/defconfig +++ b/defconfig @@ -94,3 +94,13 @@ CONFIG_TRACEPOINTS=y CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_LOOP_MIN_COUNT=0 CONFIG_QFMT_V2=y + +# Test labeled NFS. +# This is not required for SELinux operation itself. +CONFIG_NFS_FS=m +CONFIG_NFS_V4=m +CONFIG_NFS_V4_2=y +CONFIG_NFS_V4_SECURITY_LABEL=y +CONFIG_NFSD=m +CONFIG_NFSD_V4=y +CONFIG_NFSD_V4_SECURITY_LABEL=y diff --git a/nfs.sh b/nfs.sh new file mode 100755 index 000000000000..31c66c377cae --- /dev/null +++ b/nfs.sh @@ -0,0 +1,13 @@ +#!/bin/sh -e +MOUNT=`stat --print %m .` +TESTDIR=`pwd` +systemctl start nfs-server +exportfs -orw,no_root_squash,security_label localhost:$MOUNT +mkdir -p /mnt/selinux-testsuite +mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite +pushd /mnt/selinux-testsuite +make test +popd +umount /mnt/selinux-testsuite +exportfs -u localhost:$MOUNT +systemctl stop nfs-server -- 2.24.1
