Re: selinux-testsuite / NFS symlink issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 4, 2024 at 5:29 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Wed, Sep 4, 2024 at 11:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > Hello,
> >
> > While playing with migrating selinux-testsuite CI to Testing Farm
> > (more on that later) I encountered a problem when running the NFS
> > tests: When you create a symlink to the testsuite directory, cd inside
> > that symlink, and run ./tools/nfs.sh, the nfs_filesystem/test fails.
> > In fact, I also get some strange failures in unix_socket/test in the
> > general testsuite run over NFS, but only when I run this scenario
> > manually, not when running through the TMT tool (which also runs the
> > tests inside a symlink to the testsuite directory, but only fails on
> > the nfs_filesystem/test).
> >
> > Feel free to investigate if interested, for now I will leave the NFS
> > tests out of the CI, as it's not clear if the issues are in the
> > testsuite or the kernel (or both) and I don't want to add workarounds
> > blindly.
>
> I'd tentatively guess that the symlink problem is merely that the test
> policy isn't allowing the test domains to read
> <whatever-type-is-on-that-symlink>:lnk_file. I'd try that and if so,
> possibly add it to the test policy or relabel that symlink to an
> allowed type.
>
> Unix socket test failures sound familiar - I seem to recall an earlier
> email exchange about encountering that myself that turned out to
> actually be the bug in NFS that I fixed earlier this year.

Good point! I must have done my debugging runs in an environment with
an older (broken) kernel and not realize it... Back then even adding
the policy didn't resolve the failures, but with a recent kernel
adding two lines to the policy is indeed enough.

In the meantime I have refactored the way the tests are run, so it
incidentally no longer triggers the symlink bug, but I have posted a
patch with the policy fixes anyway, so that it doesn't become a
problem in the future.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.






[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux