On Tue, Feb 25, 2020 at 11:04 AM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
>
> On Mon, 2020-02-24 at 16:17 -0500, Stephen Smalley wrote:
> > On Mon, Feb 24, 2020 at 9:16 AM Richard Haines
> > <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > > diff --git a/tests/filesystem/Filesystem.pm
> > > b/tests/filesystem/Filesystem.pm
> > > index a08570a..8a18ddb 100644
> > > --- a/tests/filesystem/Filesystem.pm
> > > +++ b/tests/filesystem/Filesystem.pm
> > > @@ -1,10 +1,10 @@
> > > @@ -25,15 +25,26 @@ sub check_config {
> > > $mod_pol_vers = `checkmodule -V | cut -f 2 -d '-'`;
> > > $max_kernel_policy = `cat /sys/fs/selinux/policyvers`;
> > >
> > > - if ( $mod_pol_vers >= 11 and $pol_vers >= 25 and
> > > $max_kernel_policy >= 25 )
> > > - {
> > > - $name_trans = 1;
> > > - $tst_count += 2;
> > > + if ( not $nfs_enabled and not $vfat_enabled ) {
> > > + if ( $mod_pol_vers >= 11
> > > + and $pol_vers >= 25
> > > + and $max_kernel_policy >= 25 )
> > > + {
> > > + $name_trans = 1;
> > > + $tst_count += 2;
> > > + }
> > > + }
> > > +
> > > + $type_trans = 0;
> > > + if ( not $nfs_enabled and not $vfat_enabled ) {
> > > + $type_trans = 1;
> > > + $tst_count += 1;
> > > }
> >
> > Why is this disabled on (labeled) NFS? type_transitions including
> > name-based ones should work there AFAICT. vfat makes sense.
>
> I cannot get these to work on NFS at all. I've started nfs.sh with:
> mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
> mount -t nfs -o
> vers=4.2,rootcontext=system_u:object_r:test_filesystem_file_t:s0
> localhost:$TESTDIR /mnt/selinux-testsuite
> mount -t nfs -o
> vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0
> localhost:$TESTDIR /mnt/selinux-testsuite
> And they always failed.
If you just ran the nametrans tests in the host filesystem rather than
in the separate mount, I think it would work.
This would require adjusting the type_transition rules however to
reflect the actual parent directory type (probably test_file_t).
