On Wed, 2020-03-25 at 10:56 -0400, Stephen Smalley wrote: > On Wed, Mar 25, 2020 at 9:09 AM Richard Haines > <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > If tested on the selinux-next kernel (that has the XFS patch [1]) > > with > > the "NFS: Ensure security label is set for root inode" patch [2], > > then all > > tests should pass. Anything else will give varying amounts of > > fails. > > > > The filesystem types tested are: ext4, xfs, vfat and nfs4. > > > > [1] > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce > > [2] > > https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@xxxxxxxxxx/ > > Thanks, with this version of the patches, make test and > ./tools/nfs.sh > pass for me on the selinux next branch. > Still need to review all the changes and confirm that it is all > functioning as expected (e.g. getting the expected permission > denials). Attached are the (cleaned up) audit2allow entries for the fs test denials I've been using as a reference over the various updates. Watch is configured and using selinux-next kernel. > Ondrej, how does this fare on RHEL-8, both with respect to > differences > there in policy/userspace and with respect to default use of > xfs instead of ext4?
tests/filesystem/test -f ext4 ======================== 83 tests ================== #============= test_file_no_quotaon_t ============== allow test_file_no_quotaon_t self:file quotaon; #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t fs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/filesystem/test -f xfs ======================== 76 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t fs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/filesystem/test -f vfat ======================== 54 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t dosfs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t dosfs_t:filesystem mount; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t dosfs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t dosfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate;
tests/fs_filesystem/test -f ext4 ======================== 82 tests ================== #============= test_file_no_quotaon_t ============== allow test_file_no_quotaon_t self:file quotaon; #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/fs_filesystem/test -f xfs ======================== 75 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t fs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t fs_t:filesystem mount; #============= test_filesystem_no_quotaget_t ============== allow test_filesystem_no_quotaget_t self:filesystem quotaget; #============= test_filesystem_no_quotamod_t ============== allow test_filesystem_no_quotamod_t self:filesystem quotamod; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t fs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t fs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; #============= unlabeled_t ============== allow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tests/fs_filesystem/test -f vfat ======================== 53 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t dosfs_t:filesystem associate; #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t fs_t:filesystem getattr; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t dosfs_t:filesystem mount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t dosfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t self:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t self:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t self:filesystem watch; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t dosfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate;
tools/nfs.sh nfs_filesystem ======================== 56 tests ================== #============= test_filesystem_inode_relabel_no_associate_t ============== allow test_filesystem_inode_relabel_no_associate_t self:filesystem associate; #============= test_filesystem_no_inode_no_relabelfrom_t ============== allow test_filesystem_no_inode_no_relabelfrom_t nfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelfrom_t ============== allow test_filesystem_sb_relabel_no_relabelfrom_t nfs_t:filesystem relabelfrom; #============= test_filesystem_sb_relabel_no_relabelto_t ============== allow test_filesystem_sb_relabel_no_relabelto_t self:filesystem relabelto; #============= unconfined_t ============== allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem associate; allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem associate; ################################################################################ tools/nfs.sh fs_filesystem ======================== 37 tests ================== #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t nfs_t:filesystem getattr; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t nfs_t:filesystem mount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t nfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t test_file_t:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t test_file_t:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t nfs_t:filesystem watch; #============= test_move_mount_no_mounton_t ============== allow test_move_mount_no_mounton_t test_file_t:dir mounton; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate; ################################################################################ tools/nfs.sh filesystem ======================== 38 tests ================== #============= test_filesystem_no_getattr_t ============== allow test_filesystem_no_getattr_t nfs_t:filesystem getattr; #============= test_filesystem_no_mount_t ============== allow test_filesystem_no_mount_t nfs_t:filesystem mount; #============= test_filesystem_no_remount_t ============== allow test_filesystem_no_remount_t nfs_t:filesystem remount; #============= test_filesystem_no_unmount_t ============== allow test_filesystem_no_unmount_t nfs_t:filesystem unmount; #============= test_filesystem_no_watch_mount_t ============== allow test_filesystem_no_watch_mount_t test_file_t:dir watch_mount; #============= test_filesystem_no_watch_sb_t ============== allow test_filesystem_no_watch_sb_t test_file_t:dir watch_sb; #============= test_filesystem_no_watch_t ============== allow test_filesystem_no_watch_t nfs_t:filesystem watch; #============= test_no_setfscreatecon_t ============== allow test_no_setfscreatecon_t self:process setfscreate;
