On Wed, May 29, 2024 at 5:27 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> On Wed, May 29, 2024 at 10:04 AM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > These tests currently fail on mount(2) calls due to the directory being
> > unlabeled at the point where search access is checked. Until we can resolve
> > the underlying issue, comment out these tests to allow the NFS tests to
> > be run. It is unclear that these tests ever passed and retaining them
> > prevents enabling the NFS tests in automated testing.
> >
> > Before:
> > Run 'filesystem' tests with mount context option:
> > fscontext=system_u:object_r:test_filesystem_file_t:s0
> > filesystem/test .. 1/41 Failed mount(2): Permission denied
> >
> > # Failed test at filesystem/test line 709.
> > Failed umount(2): Permission denied
> >
> > # Failed test at filesystem/test line 720.
> > Failed mount(2): Permission denied
> >
> > # Failed test at filesystem/test line 744.
> > Failed umount(2): Permission denied
> >
> > # Failed test at filesystem/test line 756.
> > Failed mount(2): Permission denied
> >
> > # Failed test at filesystem/test line 780.
> > Failed umount(2): No such file or directory
> >
> > # Failed test at filesystem/test line 793.
> > Failed mount(2): Permission denied
> >
> > # Failed test at filesystem/test line 851.
> > Failed umount(2): Permission denied
> >
> > # Failed test at filesystem/test line 863.
> > Failed mount(2): Permission denied
> >
> > # Failed test at filesystem/test line 887.
> > Failed umount(2): Permission denied
> >
> > # Failed test at filesystem/test line 899.
> > Failed mount(2): Permission denied
> >
> > # Failed test at filesystem/test line 923.
> > Failed umount(2): Permission denied
> >
> > # Failed test at filesystem/test line 935.
> >
> > # Failed test at filesystem/test line 978.
> > # Looks like you failed 13 tests of 41.
> > filesystem/test .. Dubious, test returned 13 (wstat 3328, 0xd00)
> > Failed 13/41 subtests
> >
> > Test Summary Report
> > -------------------
> > filesystem/test (Wstat: 3328 (exited 13) Tests: 41 Failed: 13)
> > Failed tests: 23, 25-26, 28-29, 31-32, 34-35, 37-38, 40-41
> > Non-zero exit status: 13
> > Files=1, Tests=41, 1 wallclock secs ( 0.02 usr 0.00 sys + 0.22 cusr 0.36 csys = 0.60 CPU)
> > Result: FAIL
> > Failed 1/1 test programs. 13/41 subtests failed.
> > Test failed on line: 85 - Closing down NFS
> > NFS Closed down
> >
> > $ sudo ausearch -m AVC -ts recent | grep unlabeled
> > type=AVC msg=audit(1716989714.176:42466): avc: denied { search } for pid=170755 comm="mount" name="mntpoint" dev="0:60" ino=822109802 scontext=unconfined_u:unconfined_r:test_filesystem_no_watch_mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
> >
> > After:
> > No failing tests.
> >
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> > ---
> > tools/nfs.sh | 40 ++++++++++++++++++++--------------------
> > 1 file changed, 20 insertions(+), 20 deletions(-)
> >
> > diff --git a/tools/nfs.sh b/tools/nfs.sh
> > index cf4912c..688903e 100755
> > --- a/tools/nfs.sh
> > +++ b/tools/nfs.sh
> > @@ -77,27 +77,27 @@ POPD=0
> > popd >/dev/null 2>&1
> > umount /mnt/selinux-testsuite
> > #
> > -echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
> > -mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > -pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > -POPD=1
> > -cd tests
> > -./nfsruntests.pl filesystem/test
> > -cd ../
> > -POPD=0
> > -popd >/dev/null 2>&1
> > -umount /mnt/selinux-testsuite
> > +#echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
> > +#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > +#pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > +#POPD=1
> > +#cd tests
> > +#./nfsruntests.pl filesystem/test
> > +#cd ../
> > +#POPD=0
> > +#popd >/dev/null 2>&1
> > +#umount /mnt/selinux-testsuite
> > #
> > -echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
> > -mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > -pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > -POPD=1
> > -cd tests
> > -./nfsruntests.pl fs_filesystem/test
> > -cd ../
> > -POPD=0
> > -popd >/dev/null 2>&1
> > -umount /mnt/selinux-testsuite
> > +#echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
> > +#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > +#pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > +#POPD=1
> > +#cd tests
> > +#./nfsruntests.pl fs_filesystem/test
> > +#cd ../
> > +#POPD=0
> > +#popd >/dev/null 2>&1
> > +#umount /mnt/selinux-testsuite
> > #
>
> Thanks for the additional info in the patch description. I think this
> change is fine, although I have a slight preference to simply removing
> the dead code rather than commenting it out (a small comment can be
> inserted referencing the change if that helps), but ultimately I'll
> leave that decision to Ondrej as he has been really driving
> maintenance of the selinux-testsuite for the past several years.
> However, Ondrej hasn't been responding much on-list lately so it is
> possible he is away for a bit; if that is the case I would say to go
> ahead with what you have and we can always adjust as needed later.
Yes, I was on a 2-week vacation ending tuesday (I should have set up
an auto-reply, but forgot, sorry...).
I'm fine with the patches, although I would prefer that a comment is
added before the commented-out code that explains why it is
commented-out (can be taken from the log message), ideally with a link
to an issue tracker or ML thread(s) so that future readers have a
chance to figure out if the issue has been already fixed or not.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
