Re: [PATCH] NFS: Ensure security label is set for root inode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 10, 2020 at 9:27 AM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
>
> On Mon, 2020-03-09 at 09:35 -0400, Stephen Smalley wrote:
> > 2. Mount a security_label exported NFS filesystem twice, confirm that
> > NFS security labeling support isn't silently disabled by trying to
> > set a label on a file and confirm it is set (fixed by  kernel commit
> > 3815a245b50124f0865415dcb606a034e97494d4).  This would go in
> > tools/nfs.sh
> > since it is NFS-specific.
>
> And another one. If you run the same mount twice using mount(2) you get
> EBUSY. If you run with fsmount(2) it works. A simple test below, just
> set $1 to fs for fsmount(2)

I don't know if that's a bug or just an inconsistency between mount(2)
and fsmount(2).
Question for David, Al, and/or fsdevel (cc'd).

>
> Otherwise I've completed the remaining tests with no problems.
>
> #!/bin/sh -e
> MOUNT=`stat --print %m .`
> TESTDIR=`pwd`
> NET="nfsvers=4.2,proto=tcp,clientaddr=127.0.0.1,addr=127.0.0.1"
>
> function err_exit() {
>     echo "Error on line: $1 - Closing down NFS"
>     umount /mnt/selinux-testsuite
>     exportfs -u localhost:$MOUNT
>     rmdir /mnt/selinux-testsuite
>     systemctl stop nfs-server
>     exit 1
> }
>
> trap 'err_exit $LINENO' ERR
>
> systemctl start nfs-server
> exportfs -orw,no_root_squash,security_label localhost:$MOUNT
> mkdir -p /mnt/selinux-testsuite
>
> if [ $1 ] && [ $1 = 'fs' ]; then
>     RUN="tests/fs_filesystem/fsmount"
> else
>     RUN="tests/filesystem/mount"
> fi
>
> $RUN -v -f nfs -o vers=4.2,$NET,context=system_u:object_r:etc_t:s0 -s
> localhost:$TESTDIR -t /mnt/selinux-testsuite
> $RUN -v -f nfs -o vers=4.2,$NET,context=system_u:object_r:etc_t:s0 -s
> localhost:$TESTDIR -t /mnt/selinux-testsuite
> echo "Testing context mount of a security_label export."
> fctx=`secon -t -f /mnt/selinux-testsuite`
> if [ "$fctx" != "etc_t" ]; then
>     echo "Context mount failed: got $fctx instead of etc_t."
>     err_exit $LINENO
> fi
> umount /mnt/selinux-testsuite
> umount /mnt/selinux-testsuite
>
> echo "Done"
> exportfs -u localhost:$MOUNT
> rmdir /mnt/selinux-testsuite
> systemctl stop nfs-server



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux