On Fri, May 31, 2024 at 3:13 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > These tests currently fail on mount(2) calls due to the directory being > unlabeled at the point where search access is checked. Until we can resolve > the underlying issue, comment out these tests to allow the NFS tests to > be run. It is unclear that these tests ever passed and retaining them > prevents enabling the NFS tests in automated testing. > > This bug is tracked in > https://github.com/SELinuxProject/selinux-testsuite/issues/91 > > Before: > Run 'filesystem' tests with mount context option: > fscontext=system_u:object_r:test_filesystem_file_t:s0 > filesystem/test .. 1/41 Failed mount(2): Permission denied > > # Failed test at filesystem/test line 709. > Failed umount(2): Permission denied > > # Failed test at filesystem/test line 720. > Failed mount(2): Permission denied > > # Failed test at filesystem/test line 744. > Failed umount(2): Permission denied > > # Failed test at filesystem/test line 756. > Failed mount(2): Permission denied > > # Failed test at filesystem/test line 780. > Failed umount(2): No such file or directory > > # Failed test at filesystem/test line 793. > Failed mount(2): Permission denied > > # Failed test at filesystem/test line 851. > Failed umount(2): Permission denied > > # Failed test at filesystem/test line 863. > Failed mount(2): Permission denied > > # Failed test at filesystem/test line 887. > Failed umount(2): Permission denied > > # Failed test at filesystem/test line 899. > Failed mount(2): Permission denied > > # Failed test at filesystem/test line 923. > Failed umount(2): Permission denied > > # Failed test at filesystem/test line 935. > > # Failed test at filesystem/test line 978. > # Looks like you failed 13 tests of 41. > filesystem/test .. Dubious, test returned 13 (wstat 3328, 0xd00) > Failed 13/41 subtests > > Test Summary Report > ------------------- > filesystem/test (Wstat: 3328 (exited 13) Tests: 41 Failed: 13) > Failed tests: 23, 25-26, 28-29, 31-32, 34-35, 37-38, 40-41 > Non-zero exit status: 13 > Files=1, Tests=41, 1 wallclock secs ( 0.02 usr 0.00 sys + 0.22 cusr 0.36 csys = 0.60 CPU) > Result: FAIL > Failed 1/1 test programs. 13/41 subtests failed. > Test failed on line: 85 - Closing down NFS > NFS Closed down > > $ sudo ausearch -m AVC -ts recent | grep unlabeled > type=AVC msg=audit(1716989714.176:42466): avc: denied { search } for pid=170755 comm="mount" name="mntpoint" dev="0:60" ino=822109802 scontext=unconfined_u:unconfined_r:test_filesystem_no_watch_mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 > > After: > No failing tests. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > tools/nfs.sh | 44 ++++++++++++++++++++++++-------------------- > 1 file changed, 24 insertions(+), 20 deletions(-) Thanks! The two patches are now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/7738f9f68cedfe36ace71a15ae49ed3d9dd85b36 https://github.com/SELinuxProject/selinux-testsuite/commit/0815abcd70b382e13592264ce39bf48742421cc8 -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
