| Message ID | 20200114122804.321628-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | selinux-testsuite: Add filesystem tests | expand |
On 1/14/20 7:28 AM, Richard Haines wrote: > These tests should cover all the areas in selinux/hooks.c that touch > the 'filesystem' class. Each hooks.c function is listed in the 'test' > script as there are some permissions that are checked in multiple places. > > Tested on Fedora 31 and Rawhide (5.5 for the new watch perm). > > V4 Changes: > 1) Test non-name based type transition rule. > 2) Test two different name-based type transition rules that only differ > in name. Sorry, I guess my wording was confusing. What I meant was that the inputs to the two name-based type transition rules were identical except for the name, but you would want them to have different output/result types so that you can tell whether it actually distinguished them. > 3) Creating ext4 filesystems with inodes > 128 bytes using -I 256. > 4) Use kernel_setsched() macro. > > V3 Changes: > 1) Lots of minor updates. > 2) Add 'udevadm settle' as suggested by Ondrej to resolve udisks(8) issue. > 3) Add stopping udisks(8) daemon as a '-d' option. > 4) Add file quotaon test. > 5) Add test for name type_transition rule. > 6) Fix setfscreatecon(3) test to create a directory and check context. > 7) Use kernel_dontaudit_setsched() as explained in [1]. > > [1] https://lore.kernel.org/selinux/f863a91987c1926a4351f3edf968c9003197fead.camel@btinternet.com/ > > V2 Changes: > 1) If udisks(8) daemon is running, stop then restart after tests. The tests > run faster and stops the annoying habit of adding mounts to the 'files' > app on the desktop. Supports /usr/bin/systemctl or /usr/sbin/service > More importantly it stops interferance with the '*context=' tests as it > can cause intermittent failures. Tested by running 'test' in a continuous > loop with udisks enabled, and then again disabled. > Loop 200 times, with udisks failed between 1 to 70 iterations, without > udisks, no failures. > 2) Add "#define QFMT_VFS_V0 2" to quotas_test.c to fix a RHEL/CentOS 7 and > below build issue. > 3) Build new file context based on the original in > create_file_change_context.c > 4) Use "runcon `id -Z` quotacheck ..." to resolve RHEL-6 test run issue. > 5) Fix free() contexts in create_file_change_context.c and > check_mount_context.c > > To test fanotify fs watch perm on 5.5+: > 1) Build the testsuite policy first: > make -C policy load > > 2) Add the following CIL statements to watch.cil and install: > semodule -i watch.cil > > (common filesystem (watch)) > (classcommon filesystem filesystem) > (allow test_filesystem_t self(filesystem (watch))) > ; Until 'fs_watch_all_fs(test_filesystem_t)' in Policy use: > (allow test_filesystem_t fs_t (filesystem (watch))) > ; Required if notify policy enabled > ;(allow test_filesystem_t self (dir (watch_sb))) > > 3) Edit /usr/share/selinux/devel/include/support/all_perms.spt > and insert the 'watch' permission at: > > define(`all_filesystem_perms',`{ mount remount ..... watch }') > > Richard Haines (1): > selinux-testsuite: Add filesystem tests > > defconfig | 6 + > policy/Makefile | 4 + > policy/test_filesystem.te | 356 +++++++ > tests/Makefile | 7 + > tests/filesystem/.gitignore | 11 + > tests/filesystem/Makefile | 16 + > tests/filesystem/check_file_context.c | 75 ++ > tests/filesystem/check_mount_context.c | 127 +++ > tests/filesystem/create_file.c | 117 +++ > tests/filesystem/create_file_change_context.c | 146 +++ > tests/filesystem/fanotify_fs.c | 79 ++ > tests/filesystem/fs_relabel.c | 138 +++ > tests/filesystem/grim_reaper.c | 89 ++ > tests/filesystem/mount.c | 130 +++ > tests/filesystem/quotas_test.c | 143 +++ > tests/filesystem/statfs_test.c | 65 ++ > tests/filesystem/test | 941 ++++++++++++++++++ > tests/filesystem/umount.c | 84 ++ > 18 files changed, 2534 insertions(+) > create mode 100644 policy/test_filesystem.te > create mode 100644 tests/filesystem/.gitignore > create mode 100644 tests/filesystem/Makefile > create mode 100644 tests/filesystem/check_file_context.c > create mode 100644 tests/filesystem/check_mount_context.c > create mode 100644 tests/filesystem/create_file.c > create mode 100644 tests/filesystem/create_file_change_context.c > create mode 100644 tests/filesystem/fanotify_fs.c > create mode 100644 tests/filesystem/fs_relabel.c > create mode 100644 tests/filesystem/grim_reaper.c > create mode 100644 tests/filesystem/mount.c > create mode 100644 tests/filesystem/quotas_test.c > create mode 100644 tests/filesystem/statfs_test.c > create mode 100755 tests/filesystem/test > create mode 100644 tests/filesystem/umount.c >
On Tue, 2020-01-14 at 08:30 -0500, Stephen Smalley wrote: > On 1/14/20 7:28 AM, Richard Haines wrote: > > These tests should cover all the areas in selinux/hooks.c that > > touch > > the 'filesystem' class. Each hooks.c function is listed in the > > 'test' > > script as there are some permissions that are checked in multiple > > places. > > > > Tested on Fedora 31 and Rawhide (5.5 for the new watch perm). > > > > V4 Changes: > > 1) Test non-name based type transition rule. > > 2) Test two different name-based type transition rules that only > > differ > > in name. > > Sorry, I guess my wording was confusing. What I meant was that the > inputs to the two name-based type transition rules were identical > except > for the name, but you would want them to have different > output/result > types so that you can tell whether it actually distinguished them. So would this be ok as policy rules: type_transition test_filesystem_t test_filesystem_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1"; type_transition test_filesystem_t test_filesystem_t:file test_filesystem_filenametranscon2_t "name_trans_test_file2"; > > > 3) Creating ext4 filesystems with inodes > 128 bytes using -I 256. > > 4) Use kernel_setsched() macro. > > > > V3 Changes: > > 1) Lots of minor updates. > > 2) Add 'udevadm settle' as suggested by Ondrej to resolve udisks(8) > > issue. > > 3) Add stopping udisks(8) daemon as a '-d' option. > > 4) Add file quotaon test. > > 5) Add test for name type_transition rule. > > 6) Fix setfscreatecon(3) test to create a directory and check > > context. > > 7) Use kernel_dontaudit_setsched() as explained in [1]. > > > > [1] > > https://lore.kernel.org/selinux/f863a91987c1926a4351f3edf968c9003197fead.camel@btinternet.com/ > > > > V2 Changes: > > 1) If udisks(8) daemon is running, stop then restart after tests. > > The tests > > run faster and stops the annoying habit of adding mounts to the > > 'files' > > app on the desktop. Supports /usr/bin/systemctl or > > /usr/sbin/service > > More importantly it stops interferance with the '*context=' > > tests as it > > can cause intermittent failures. Tested by running 'test' in a > > continuous > > loop with udisks enabled, and then again disabled. > > Loop 200 times, with udisks failed between 1 to 70 iterations, > > without > > udisks, no failures. > > 2) Add "#define QFMT_VFS_V0 2" to quotas_test.c to fix a > > RHEL/CentOS 7 and > > below build issue. > > 3) Build new file context based on the original in > > create_file_change_context.c > > 4) Use "runcon `id -Z` quotacheck ..." to resolve RHEL-6 test run > > issue. > > 5) Fix free() contexts in create_file_change_context.c and > > check_mount_context.c > > > > To test fanotify fs watch perm on 5.5+: > > 1) Build the testsuite policy first: > > make -C policy load > > > > 2) Add the following CIL statements to watch.cil and install: > > semodule -i watch.cil > > > > (common filesystem (watch)) > > (classcommon filesystem filesystem) > > (allow test_filesystem_t self(filesystem (watch))) > > ; Until 'fs_watch_all_fs(test_filesystem_t)' in Policy use: > > (allow test_filesystem_t fs_t (filesystem (watch))) > > ; Required if notify policy enabled > > ;(allow test_filesystem_t self (dir (watch_sb))) > > > > 3) Edit /usr/share/selinux/devel/include/support/all_perms.spt > > and insert the 'watch' permission at: > > > > define(`all_filesystem_perms',`{ mount remount ..... watch }') > > > > Richard Haines (1): > > selinux-testsuite: Add filesystem tests > > > > defconfig | 6 + > > policy/Makefile | 4 + > > policy/test_filesystem.te | 356 +++++++ > > tests/Makefile | 7 + > > tests/filesystem/.gitignore | 11 + > > tests/filesystem/Makefile | 16 + > > tests/filesystem/check_file_context.c | 75 ++ > > tests/filesystem/check_mount_context.c | 127 +++ > > tests/filesystem/create_file.c | 117 +++ > > tests/filesystem/create_file_change_context.c | 146 +++ > > tests/filesystem/fanotify_fs.c | 79 ++ > > tests/filesystem/fs_relabel.c | 138 +++ > > tests/filesystem/grim_reaper.c | 89 ++ > > tests/filesystem/mount.c | 130 +++ > > tests/filesystem/quotas_test.c | 143 +++ > > tests/filesystem/statfs_test.c | 65 ++ > > tests/filesystem/test | 941 > > ++++++++++++++++++ > > tests/filesystem/umount.c | 84 ++ > > 18 files changed, 2534 insertions(+) > > create mode 100644 policy/test_filesystem.te > > create mode 100644 tests/filesystem/.gitignore > > create mode 100644 tests/filesystem/Makefile > > create mode 100644 tests/filesystem/check_file_context.c > > create mode 100644 tests/filesystem/check_mount_context.c > > create mode 100644 tests/filesystem/create_file.c > > create mode 100644 tests/filesystem/create_file_change_context.c > > create mode 100644 tests/filesystem/fanotify_fs.c > > create mode 100644 tests/filesystem/fs_relabel.c > > create mode 100644 tests/filesystem/grim_reaper.c > > create mode 100644 tests/filesystem/mount.c > > create mode 100644 tests/filesystem/quotas_test.c > > create mode 100644 tests/filesystem/statfs_test.c > > create mode 100755 tests/filesystem/test > > create mode 100644 tests/filesystem/umount.c > >
On 1/14/20 8:39 AM, Richard Haines wrote: > On Tue, 2020-01-14 at 08:30 -0500, Stephen Smalley wrote: >> On 1/14/20 7:28 AM, Richard Haines wrote: >>> These tests should cover all the areas in selinux/hooks.c that >>> touch >>> the 'filesystem' class. Each hooks.c function is listed in the >>> 'test' >>> script as there are some permissions that are checked in multiple >>> places. >>> >>> Tested on Fedora 31 and Rawhide (5.5 for the new watch perm). >>> >>> V4 Changes: >>> 1) Test non-name based type transition rule. >>> 2) Test two different name-based type transition rules that only >>> differ >>> in name. >> >> Sorry, I guess my wording was confusing. What I meant was that the >> inputs to the two name-based type transition rules were identical >> except >> for the name, but you would want them to have different >> output/result >> types so that you can tell whether it actually distinguished them. > > So would this be ok as policy rules: > > type_transition test_filesystem_t test_filesystem_t:file > test_filesystem_filenametranscon1_t "name_trans_test_file1"; > type_transition test_filesystem_t test_filesystem_t:file > test_filesystem_filenametranscon2_t "name_trans_test_file2"; Yes. It looks a little odd in that usually the source context is a process context and the target context is a parent directory context so it is unusual that they'd be the same in any real-world policy (generally that would only happen for /proc/pid and you can't create files there). But I guess that's a side effect of the way the other tests work / using context mounts? > > >> >>> 3) Creating ext4 filesystems with inodes > 128 bytes using -I 256. >>> 4) Use kernel_setsched() macro. >>> >>> V3 Changes: >>> 1) Lots of minor updates. >>> 2) Add 'udevadm settle' as suggested by Ondrej to resolve udisks(8) >>> issue. >>> 3) Add stopping udisks(8) daemon as a '-d' option. >>> 4) Add file quotaon test. >>> 5) Add test for name type_transition rule. >>> 6) Fix setfscreatecon(3) test to create a directory and check >>> context. >>> 7) Use kernel_dontaudit_setsched() as explained in [1]. >>> >>> [1] >>> https://lore.kernel.org/selinux/f863a91987c1926a4351f3edf968c9003197fead.camel@btinternet.com/ >>> >>> V2 Changes: >>> 1) If udisks(8) daemon is running, stop then restart after tests. >>> The tests >>> run faster and stops the annoying habit of adding mounts to the >>> 'files' >>> app on the desktop. Supports /usr/bin/systemctl or >>> /usr/sbin/service >>> More importantly it stops interferance with the '*context=' >>> tests as it >>> can cause intermittent failures. Tested by running 'test' in a >>> continuous >>> loop with udisks enabled, and then again disabled. >>> Loop 200 times, with udisks failed between 1 to 70 iterations, >>> without >>> udisks, no failures. >>> 2) Add "#define QFMT_VFS_V0 2" to quotas_test.c to fix a >>> RHEL/CentOS 7 and >>> below build issue. >>> 3) Build new file context based on the original in >>> create_file_change_context.c >>> 4) Use "runcon `id -Z` quotacheck ..." to resolve RHEL-6 test run >>> issue. >>> 5) Fix free() contexts in create_file_change_context.c and >>> check_mount_context.c >>> >>> To test fanotify fs watch perm on 5.5+: >>> 1) Build the testsuite policy first: >>> make -C policy load >>> >>> 2) Add the following CIL statements to watch.cil and install: >>> semodule -i watch.cil >>> >>> (common filesystem (watch)) >>> (classcommon filesystem filesystem) >>> (allow test_filesystem_t self(filesystem (watch))) >>> ; Until 'fs_watch_all_fs(test_filesystem_t)' in Policy use: >>> (allow test_filesystem_t fs_t (filesystem (watch))) >>> ; Required if notify policy enabled >>> ;(allow test_filesystem_t self (dir (watch_sb))) >>> >>> 3) Edit /usr/share/selinux/devel/include/support/all_perms.spt >>> and insert the 'watch' permission at: >>> >>> define(`all_filesystem_perms',`{ mount remount ..... watch }') >>> >>> Richard Haines (1): >>> selinux-testsuite: Add filesystem tests >>> >>> defconfig | 6 + >>> policy/Makefile | 4 + >>> policy/test_filesystem.te | 356 +++++++ >>> tests/Makefile | 7 + >>> tests/filesystem/.gitignore | 11 + >>> tests/filesystem/Makefile | 16 + >>> tests/filesystem/check_file_context.c | 75 ++ >>> tests/filesystem/check_mount_context.c | 127 +++ >>> tests/filesystem/create_file.c | 117 +++ >>> tests/filesystem/create_file_change_context.c | 146 +++ >>> tests/filesystem/fanotify_fs.c | 79 ++ >>> tests/filesystem/fs_relabel.c | 138 +++ >>> tests/filesystem/grim_reaper.c | 89 ++ >>> tests/filesystem/mount.c | 130 +++ >>> tests/filesystem/quotas_test.c | 143 +++ >>> tests/filesystem/statfs_test.c | 65 ++ >>> tests/filesystem/test | 941 >>> ++++++++++++++++++ >>> tests/filesystem/umount.c | 84 ++ >>> 18 files changed, 2534 insertions(+) >>> create mode 100644 policy/test_filesystem.te >>> create mode 100644 tests/filesystem/.gitignore >>> create mode 100644 tests/filesystem/Makefile >>> create mode 100644 tests/filesystem/check_file_context.c >>> create mode 100644 tests/filesystem/check_mount_context.c >>> create mode 100644 tests/filesystem/create_file.c >>> create mode 100644 tests/filesystem/create_file_change_context.c >>> create mode 100644 tests/filesystem/fanotify_fs.c >>> create mode 100644 tests/filesystem/fs_relabel.c >>> create mode 100644 tests/filesystem/grim_reaper.c >>> create mode 100644 tests/filesystem/mount.c >>> create mode 100644 tests/filesystem/quotas_test.c >>> create mode 100644 tests/filesystem/statfs_test.c >>> create mode 100755 tests/filesystem/test >>> create mode 100644 tests/filesystem/umount.c >>> >
On 1/14/20 8:46 AM, Stephen Smalley wrote: > On 1/14/20 8:39 AM, Richard Haines wrote: >> On Tue, 2020-01-14 at 08:30 -0500, Stephen Smalley wrote: >>> On 1/14/20 7:28 AM, Richard Haines wrote: >>>> These tests should cover all the areas in selinux/hooks.c that >>>> touch >>>> the 'filesystem' class. Each hooks.c function is listed in the >>>> 'test' >>>> script as there are some permissions that are checked in multiple >>>> places. >>>> >>>> Tested on Fedora 31 and Rawhide (5.5 for the new watch perm). >>>> >>>> V4 Changes: >>>> 1) Test non-name based type transition rule. >>>> 2) Test two different name-based type transition rules that only >>>> differ >>>> in name. >>> >>> Sorry, I guess my wording was confusing. What I meant was that the >>> inputs to the two name-based type transition rules were identical >>> except >>> for the name, but you would want them to have different >>> output/result >>> types so that you can tell whether it actually distinguished them. >> >> So would this be ok as policy rules: >> >> type_transition test_filesystem_t test_filesystem_t:file >> test_filesystem_filenametranscon1_t "name_trans_test_file1"; >> type_transition test_filesystem_t test_filesystem_t:file >> test_filesystem_filenametranscon2_t "name_trans_test_file2"; > > Yes. It looks a little odd in that usually the source context is a > process context and the target context is a parent directory context so > it is unusual that they'd be the same in any real-world policy > (generally that would only happen for /proc/pid and you can't create > files there). But I guess that's a side effect of the way the other > tests work / using context mounts? That's fine btw - no need to change it just noting it.
These tests should cover all the areas in selinux/hooks.c that touch the 'filesystem' class. Each hooks.c function is listed in the 'test' script as there are some permissions that are checked in multiple places. Tested on Fedora 31 and Rawhide (5.5 for the new watch perm). V4 Changes: 1) Test non-name based type transition rule. 2) Test two different name-based type transition rules that only differ in name. 3) Creating ext4 filesystems with inodes > 128 bytes using -I 256. 4) Use kernel_setsched() macro. V3 Changes: 1) Lots of minor updates. 2) Add 'udevadm settle' as suggested by Ondrej to resolve udisks(8) issue. 3) Add stopping udisks(8) daemon as a '-d' option. 4) Add file quotaon test. 5) Add test for name type_transition rule. 6) Fix setfscreatecon(3) test to create a directory and check context. 7) Use kernel_dontaudit_setsched() as explained in [1]. [1] https://lore.kernel.org/selinux/f863a91987c1926a4351f3edf968c9003197fead.camel@btinternet.com/ V2 Changes: 1) If udisks(8) daemon is running, stop then restart after tests. The tests run faster and stops the annoying habit of adding mounts to the 'files' app on the desktop. Supports /usr/bin/systemctl or /usr/sbin/service More importantly it stops interferance with the '*context=' tests as it can cause intermittent failures. Tested by running 'test' in a continuous loop with udisks enabled, and then again disabled. Loop 200 times, with udisks failed between 1 to 70 iterations, without udisks, no failures. 2) Add "#define QFMT_VFS_V0 2" to quotas_test.c to fix a RHEL/CentOS 7 and below build issue. 3) Build new file context based on the original in create_file_change_context.c 4) Use "runcon `id -Z` quotacheck ..." to resolve RHEL-6 test run issue. 5) Fix free() contexts in create_file_change_context.c and check_mount_context.c To test fanotify fs watch perm on 5.5+: 1) Build the testsuite policy first: make -C policy load 2) Add the following CIL statements to watch.cil and install: semodule -i watch.cil (common filesystem (watch)) (classcommon filesystem filesystem) (allow test_filesystem_t self(filesystem (watch))) ; Until 'fs_watch_all_fs(test_filesystem_t)' in Policy use: (allow test_filesystem_t fs_t (filesystem (watch))) ; Required if notify policy enabled ;(allow test_filesystem_t self (dir (watch_sb))) 3) Edit /usr/share/selinux/devel/include/support/all_perms.spt and insert the 'watch' permission at: define(`all_filesystem_perms',`{ mount remount ..... watch }') Richard Haines (1): selinux-testsuite: Add filesystem tests defconfig | 6 + policy/Makefile | 4 + policy/test_filesystem.te | 356 +++++++ tests/Makefile | 7 + tests/filesystem/.gitignore | 11 + tests/filesystem/Makefile | 16 + tests/filesystem/check_file_context.c | 75 ++ tests/filesystem/check_mount_context.c | 127 +++ tests/filesystem/create_file.c | 117 +++ tests/filesystem/create_file_change_context.c | 146 +++ tests/filesystem/fanotify_fs.c | 79 ++ tests/filesystem/fs_relabel.c | 138 +++ tests/filesystem/grim_reaper.c | 89 ++ tests/filesystem/mount.c | 130 +++ tests/filesystem/quotas_test.c | 143 +++ tests/filesystem/statfs_test.c | 65 ++ tests/filesystem/test | 941 ++++++++++++++++++ tests/filesystem/umount.c | 84 ++ 18 files changed, 2534 insertions(+) create mode 100644 policy/test_filesystem.te create mode 100644 tests/filesystem/.gitignore create mode 100644 tests/filesystem/Makefile create mode 100644 tests/filesystem/check_file_context.c create mode 100644 tests/filesystem/check_mount_context.c create mode 100644 tests/filesystem/create_file.c create mode 100644 tests/filesystem/create_file_change_context.c create mode 100644 tests/filesystem/fanotify_fs.c create mode 100644 tests/filesystem/fs_relabel.c create mode 100644 tests/filesystem/grim_reaper.c create mode 100644 tests/filesystem/mount.c create mode 100644 tests/filesystem/quotas_test.c create mode 100644 tests/filesystem/statfs_test.c create mode 100755 tests/filesystem/test create mode 100644 tests/filesystem/umount.c