On 2/18/20 9:18 AM, Richard Haines wrote:
After more testing these definitely require 'unlabeled_t' when running NFS: # # These rules are required otherwise some nfs tests will fail when: # mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite # And: # mount -t nfs -o vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite # allow test_filesystem_no_getattr_t unlabeled_t:dir search; allow test_filesystem_no_mount_t unlabeled_t:dir search; allow test_filesystem_no_remount_t unlabeled_t:dir search; allow test_filesystem_no_unmount_t unlabeled_t:dir search; allow test_filesystem_no_watch_mount_t unlabeled_t:dir search; allow test_filesystem_no_watch_sb_t unlabeled_t:dir search; allow test_filesystem_no_watch_t unlabeled_t:dir search; Any idea why ??? Not required when rootcontext set.
I'd guess that this is a bug I've sometimes seen with labeled NFS, where the top-level mounted directory shows up with unlabeled_t initially and then later gets refreshed to a valid context. If we can get a trivial reproducer it would be good to send it to the NFS developers, particularly those who have submitted fixes for labeled NFS previously, e.g. J. Bruce Fields, Scott Mayhew.
Regarding xfs quotas - XFS supports quotas internally but does not call security_quotactl() or security_quota_on() hooks. I could ignore testing quotas on xfs or test. If tested they would fail when denying the quota permissions. Which would you prefer ?
IMHO, the tests should fail because there is a real gap in checking in xfs that should be addressed; it should call those hooks as appropriate if it has its own implementations of quotactl() / quota_on() and doesn't use fs/quota/*.c common code.
