Re: [RFC V2 PATCH 1/2] selinux-testsuite: Use native filesystem for tests - Part 1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2020-02-24 at 16:17 -0500, Stephen Smalley wrote:
> On Mon, Feb 24, 2020 at 9:16 AM Richard Haines
> <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > Use the filesystem type that the selinux-testsuite is running from
> > to be
> > used for tests/filesystem. Tested types: ext4, xfs, vfat and nfs.
> > 
> > If testing locally -f <fs_type> can be used to test a specific
> > type.
> > 
> > For NFS the following example shows how this should be run:
> >     ./tools/nfs.sh filesystem -v -e -f ext4
> 
> That example doesn't make much sense to me. If I'm running
> ./tools/nfs.sh I want to exercise (labeled) nfs, not ext4.

I'll change the example. I added this so that from nfs.sh I could just
run the filesystem or fs_filesystem tests with the -v option.

> 
> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > ---
> > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> > index 09f9d4a..c7d6fc1 100644
> > --- a/policy/test_filesystem.te
> > +++ b/policy/test_filesystem.te
> > @@ -6,6 +6,28 @@
> <snip>
> > +# Lots of searches required, however this covers up the
> > unlabeled_t NFS bug
> > +#files_search_all(filesystemdomain)
> > +
> > +#
> > +########## NFS BUG 'unlabeled_t rules' NFS BUG
> > ########################
> > +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1625955
> > +# These rules can be commented out to cause the NFS bug when
> > using:
> > +#     mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-
> > testsuite
> > +# And:
> > +#     mount -t nfs -o
> > vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0
> > +#           localhost:$TESTDIR /mnt/selinux-testsuite
> > +#
> > +allow test_filesystem_no_getattr_t unlabeled_t:dir { search };
> > +allow test_filesystem_no_mount_t unlabeled_t:dir { search };
> > +allow test_filesystem_no_remount_t unlabeled_t:dir { search };
> > +allow test_filesystem_no_unmount_t unlabeled_t:dir { search };
> > +allow test_move_mount_no_mounton_t unlabeled_t:dir { search };
> > +######################## End NFS bug ####################
> 
> Don't cover up bugs in the testsuite policy or code.  If it is a bug,
> let it fail.
I'll remove these next time.

> 
> > diff --git a/policy/test_filesystem_notify.te
> > b/policy/test_filesystem_notify.te
> > index 3e8a246..c9ef73a 100644
> > --- a/policy/test_filesystem_notify.te
> > +++ b/policy/test_filesystem_notify.te
> > @@ -2,15 +2,55 @@
> > +#
> > +########## NFS BUG 'unlabeled_t rules' NFS BUG
> > ########################
> > +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1625955
> > +# These rules can be commented out to cause the NFS bug when
> > using:
> > +#     mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-
> > testsuite
> > +# And:
> > +#     mount -t nfs -o
> > vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0
> > +#           localhost:$TESTDIR /mnt/selinux-testsuite
> > +#
> > +allow test_filesystem_no_watch_mount_t unlabeled_t:dir { search };
> > +allow test_filesystem_no_watch_sb_t unlabeled_t:dir { search };
> > +allow test_filesystem_no_watch_t unlabeled_t:dir { search };
> > +######################## End NFS bug ####################
> 
> ditto
> 
> > diff --git a/tests/filesystem/Filesystem.pm
> > b/tests/filesystem/Filesystem.pm
> > index a08570a..8a18ddb 100644
> > --- a/tests/filesystem/Filesystem.pm
> > +++ b/tests/filesystem/Filesystem.pm
> > @@ -1,10 +1,10 @@
> > @@ -25,15 +25,26 @@ sub check_config {
> >      $mod_pol_vers      = `checkmodule -V | cut -f 2 -d '-'`;
> >      $max_kernel_policy = `cat /sys/fs/selinux/policyvers`;
> > 
> > -    if ( $mod_pol_vers >= 11 and $pol_vers >= 25 and
> > $max_kernel_policy >= 25 )
> > -    {
> > -        $name_trans = 1;
> > -        $tst_count += 2;
> > +    if ( not $nfs_enabled and not $vfat_enabled ) {
> > +        if (    $mod_pol_vers >= 11
> > +            and $pol_vers >= 25
> > +            and $max_kernel_policy >= 25 )
> > +        {
> > +            $name_trans = 1;
> > +            $tst_count += 2;
> > +        }
> > +    }
> > +
> > +    $type_trans = 0;
> > +    if ( not $nfs_enabled and not $vfat_enabled ) {
> > +        $type_trans = 1;
> > +        $tst_count += 1;
> >      }
> 
> Why is this disabled on (labeled) NFS?  type_transitions including
> name-based ones should work there AFAICT.  vfat makes sense.

I cannot get these to work on NFS at all. I've started nfs.sh with:
mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
mount -t nfs -o
vers=4.2,rootcontext=system_u:object_r:test_filesystem_file_t:s0
localhost:$TESTDIR /mnt/selinux-testsuite
mount -t nfs -o
vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0
localhost:$TESTDIR /mnt/selinux-testsuite
And they always failed.

> 
> > @@ -121,7 +134,7 @@ sub make_fs {
> >      attach_dev( $mk_dev, $mk_dir );
> > 
> >      print "Make $mk_type filesystem on $mk_dev\n";
> > -    $result = system("mkfs.$mk_type -I 256 $mk_dev >& /dev/null");
> > +    $result = system("mkfs.$mk_type $mk_dev >& /dev/null");
> 
> What's the effect of dropping -I 256 on ext4 testing?  e.g. do we
> stop
> testing inline xattrs?

It uses the defaults set in /etc/mke2fs.conf instead (defaults to 256 +
others)

> 
> > diff --git a/tests/filesystem/test b/tests/filesystem/test
> > index 78faf72..7074f36 100755
> > --- a/tests/filesystem/test
> > +++ b/tests/filesystem/test
> > +
> > +    if ($nfs_enabled) {
> > +        $test_count -= 3;    # For hooks.c may_create()
> > FILESYSTEM__ASSOCIATE
> > +        $test_count -=
> > +          3;    # For hooks.c selinux_inode_setxattr()
> > FILESYSTEM__ASSOCIATE
> > +        $test_count -= 2;     # For additional Test Invalid Mount
> > tests
> > +        $test_count -= 20;    # For tests involving multiple
> > *context= options
> > +        if ( $seclabel_type eq 0 ) {
> > +            $test_count -= 4;    # If no context option set
> > +        }
> > +        elsif ( $seclabel_type eq 1 ) {
> > +            $test_count -= 2;    # If rootcontext option set
> > +        }
> > +        elsif ( $seclabel_type eq 2 ) {
> > +            $test_count -= 2;    # If fscontext option set
> > +        }
> > +    }
> 
> A tad unclear on the rationale for removing all of these.  Are they
> truly not supported by nfs (if so, is that a bug or expected behavior
> e.g. an inherent difference between network and local filesystems
> that
> cannot be addressed without changes to the NFS protocol itself), or
> are they just not supported by existing policy?

Some cannot be tested as they require switching between context options
like the -20 entry (otherwise get the "SELinux: mount invalid. Same
superblock .." log entry with ERR EBUSY). Others require different
entries in nfs.sh. For example, if testing "hooks.c may_create()
FILESYSTEM__ASSOCIATE", the only way I can get this to trigger deny
"filesystem { associate };" is to:

1) In nfs.sh add: "mount -t nfs -o
vers=4.2,fscontext=system_u:object_r:test_filesystem_may_create_no_asso
ciate_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite"
2) Add additional policy rules.
3) Specifically run against its test set from line 231 of
tests/filesystem/test (after modifying it to handle NFS)

The main problem I have is that I'm not really sure what tests should
work under what *context= option scenarios. I test, see what happens
and 'lo and behold' the result must be correct !!! (I've even patched
hooks.c to flag each permission as some can be triggered in more than
one place). I then decide whether to include it in the actual test, and
then let the experts decide. I'll give more detail why I've ignored
them as that should help.
If anyone has ideas on how to test these excluded scenarios, please let
me know.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux