RFE: Add tests for NFS security labeling support #32
Comments
|
Failing tests: file/test failure is due to lack of flock() support over NFS (correct, not a bug). |
|
FWIW nfs labeling seems to be broken again, not sure how long it has been so. |
|
Hmm..seems like there has been a change in semantics for exports with security_label;if I export the top-level mount (e.g. /home in the case above, where /home is its own filesystem) with security_label, NFSv4.2 labeling is enabled but if I export a subdirectory (e.g. $HOME above) with security_label, it is not. Don't know what kernel version made this change since I don't run these tests regularly. Updated test script to exercise selinux-testsuite over NFSv4.2 with labeling is: |
|
Also, after first being mounted, ls -Zd of the mountpoint shows unlabeled_t. It then appears to get refreshed at some point upon subsequent access to the correct label. |
When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. Certain test cases are still expected to fail over NFS; see SELinuxProject#32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$TESTDIR systemctl stop nfs-server Signed-off-by: Stephen Smalley <[email protected]>
When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. With these changes, all of the "filesystem" tests pass on a labeled NFS mount. Certain test cases are still expected to fail over NFS; see #32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$MOUNT systemctl stop nfs-server Signed-off-by: Stephen Smalley <[email protected]>
Certain tests cannot succeed on nfs and therefore should be skipped in that case. This allows the testsuite to be run on a labeled NFS mount as described below without triggering any (additional) failures relative to running on a local filesystem like ext4. The tests that are skipped or modified and the corresponding rationale is: file: 1 test skipped - flock not supported over NFS capable_file: all tests skipped - file capabilities not supported over NFS capable_sys: 1 test skipped - CAP_SYS_RAWIO not supported over NFS overlay: all tests skipped - NFS not supported as an upperdir mac_admin: one test modified - undefined contexts not exported over NFS This partly addresses SELinuxProject#32. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite systemctl start nfs-server exportfs -orw,no_root_squash,security_label localhost:$MOUNT mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$MOUNT systemctl stop nfs-server Signed-off-by: Stephen Smalley <[email protected]>
Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of SELinuxProject#32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <[email protected]>
Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of SELinuxProject#32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <[email protected]>
In addition to testing full NFS security labeling support, make sure that context mounts continue to work independent of whether the mount was exported with security_label, and add a simple test of the default NFS file labeling. With the previous changes, this completes addressing SELinuxProject#32 Fixes: SELinuxProject#32 Signed-off-by: Stephen Smalley <[email protected]>
Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of SELinuxProject#32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <[email protected]>
In addition to testing full NFS security labeling support, make sure that context mounts continue to work independent of whether the mount was exported with security_label, and add a simple test of the default NFS file labeling. With the previous changes, this completes addressing SELinuxProject#32 Fixes: SELinuxProject#32 Signed-off-by: Stephen Smalley <[email protected]>
|
A few potential enhancements and improvements that could still be made in the area of NFS testing:
|
Add some tests of NFS security labeling support.
This would ultimately include:
exportfs -orw,no_root_squash,security_label localhost:/path/to/selinux-testsuite;
systemctl start nfs-server;
mkdir -p /mnt/selinux-testsuite;
mount -t nfs -o vers=4.2 localhost:/path/to/selinux-testsuite /mnt/selinux-testsuite;
cd /mnt/selinux-testsuite;
make test
NB: some of these tests currently fail, and this might be normal due to differences between NFS and local filesystems; we may need to select a subset of the tests to run or otherwise skip certain ones on NFS.
testing that context mounts are properly honored, with and without security_label in exports, for NFS < 4.2 and NFS >= 4.2.
testing that NFS file labeling and access under the default NFS file label.
The text was updated successfully, but these errors were encountered: