If you test on the selinux-next kernel (that has the XFS patch [1]) with the "NFS: Ensure security label is set for root inode" patch [2], then all tests should pass. Anything else will give varying amounts of fails. The filesystem types tested are: ext4, xfs, vfat and nfs4. I've revamped the nfs.sh to handle tests that require specific mount options, these plus many more are now in tests/nfs_filesystem. This only gets run by nfs.sh. There are two minor workarounds involving multiple mounts returning EBUSY. These are either bugs or features. Not tested on travis. [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce [2] https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@xxxxxxxxxx/ To test fanotify fs watch perms on 5.4+ (will also include tests/notify): 1) Extract the base module (base.cil): semodule -c -E base 2) Backup, the edit the following definitions in base.cil to add watch permissions: (common file (ioctl read write ....)) Add: watch watch_mount watch_sb watch_with_perm watch_reads (class filesystem (mount remount ....)) Add: watch 3) Insert modified base module (inserts with default priority 400): semodule -i base.cil 4) Backup, then edit the following definitions in: /usr/share/selinux/devel/include/support/all_perms.spt define(`all_file_perms',`{ ioctl read write .... Add: watch watch_mount watch_sb watch_with_perm watch_reads define(`all_dir_perms',`{ ioctl read write .... Add: watch watch_mount watch_sb watch_with_perm watch_reads define(`all_filesystem_perms',`{ mount remount .... Add: watch 5) 'make test' can now be run. NOTE: Do NOT leave the new base.cil active after tests, as the system may not reboot if in enforcing mode, as various watch permissions will be denied. Revert to the original (priority 100) as follows: semodule -r base make clean make -C policy unload Finally restore the original: /usr/share/selinux/devel/include/support/all_perms.spt Richard Haines (2): selinux-testsuite: Use native filesystem for tests - Part 1 selinux-testsuite: Use native filesystem for tests - Part 2 README.md | 10 +- defconfig | 6 + policy/test_filesystem.te | 93 +- policy/test_filesystem_name_trans.te | 6 + policy/test_filesystem_notify.te | 41 +- tests/filesystem/.gitignore | 1 + tests/filesystem/Filesystem.pm | 114 ++- tests/filesystem/Makefile | 3 +- tests/filesystem/test | 1205 +++++++++++++++--------- tests/filesystem/xfs_quotas_test.c | 96 ++ tests/fs_filesystem/fsmount.c | 5 +- tests/fs_filesystem/test | 1306 ++++++++++++++++---------- tests/nfs_filesystem/test | 359 +++++++ tests/nfsruntests.pl | 5 + tools/nfs.sh | 123 ++- 15 files changed, 2374 insertions(+), 999 deletions(-) create mode 100644 tests/filesystem/xfs_quotas_test.c create mode 100755 tests/nfs_filesystem/test create mode 100755 tests/nfsruntests.pl -- 2.24.1
