-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: Add tests for NFS security labeling support #32
Comments
Failing tests: file/test failure is due to lack of flock() support over NFS (correct, not a bug). |
FWIW nfs labeling seems to be broken again, not sure how long it has been so. |
Hmm..seems like there has been a change in semantics for exports with security_label;if I export the top-level mount (e.g. /home in the case above, where /home is its own filesystem) with security_label, NFSv4.2 labeling is enabled but if I export a subdirectory (e.g. $HOME above) with security_label, it is not. Don't know what kernel version made this change since I don't run these tests regularly. Updated test script to exercise selinux-testsuite over NFSv4.2 with labeling is: |
Also, after first being mounted, ls -Zd of the mountpoint shows unlabeled_t. It then appears to get refreshed at some point upon subsequent access to the correct label. |
When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. Certain test cases are still expected to fail over NFS; see SELinuxProject#32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$TESTDIR systemctl stop nfs-server Signed-off-by: Stephen Smalley <[email protected]>
When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. With these changes, all of the "filesystem" tests pass on a labeled NFS mount. Certain test cases are still expected to fail over NFS; see #32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$MOUNT systemctl stop nfs-server Signed-off-by: Stephen Smalley <[email protected]>
Certain tests cannot succeed on nfs and therefore should be skipped in that case. This allows the testsuite to be run on a labeled NFS mount as described below without triggering any (additional) failures relative to running on a local filesystem like ext4. The tests that are skipped or modified and the corresponding rationale is: file: 1 test skipped - flock not supported over NFS capable_file: all tests skipped - file capabilities not supported over NFS capable_sys: 1 test skipped - CAP_SYS_RAWIO not supported over NFS overlay: all tests skipped - NFS not supported as an upperdir mac_admin: one test modified - undefined contexts not exported over NFS This partly addresses SELinuxProject#32. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite systemctl start nfs-server exportfs -orw,no_root_squash,security_label localhost:$MOUNT mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$MOUNT systemctl stop nfs-server Signed-off-by: Stephen Smalley <[email protected]>
Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of SELinuxProject#32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <[email protected]>
Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of SELinuxProject#32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <[email protected]>
In addition to testing full NFS security labeling support, make sure that context mounts continue to work independent of whether the mount was exported with security_label, and add a simple test of the default NFS file labeling. With the previous changes, this completes addressing SELinuxProject#32 Fixes: SELinuxProject#32 Signed-off-by: Stephen Smalley <[email protected]>
Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of SELinuxProject#32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley <[email protected]>
In addition to testing full NFS security labeling support, make sure that context mounts continue to work independent of whether the mount was exported with security_label, and add a simple test of the default NFS file labeling. With the previous changes, this completes addressing SELinuxProject#32 Fixes: SELinuxProject#32 Signed-off-by: Stephen Smalley <[email protected]>
A few potential enhancements and improvements that could still be made in the area of NFS testing:
|
Add some tests of NFS security labeling support.
This would ultimately include:
exportfs -orw,no_root_squash,security_label localhost:/path/to/selinux-testsuite;
systemctl start nfs-server;
mkdir -p /mnt/selinux-testsuite;
mount -t nfs -o vers=4.2 localhost:/path/to/selinux-testsuite /mnt/selinux-testsuite;
cd /mnt/selinux-testsuite;
make test
NB: some of these tests currently fail, and this might be normal due to differences between NFS and local filesystems; we may need to select a subset of the tests to run or otherwise skip certain ones on NFS.
testing that context mounts are properly honored, with and without security_label in exports, for NFS < 4.2 and NFS >= 4.2.
testing that NFS file labeling and access under the default NFS file label.
The text was updated successfully, but these errors were encountered: