[RFC,V3,0/2] selinux-testsuite: Use native filesystem for tests

Message

Richard Haines March 10, 2020, 4:24 p.m. UTC

If you test on the selinux-next kernel (that has the XFS patch [1]) with
the "NFS: Ensure security label is set for root inode" patch [2], then all
tests should pass. Anything else will give varying amounts of fails.

The filesystem types tested are: ext4, xfs, vfat and nfs4.

I've revamped the nfs.sh to handle tests that require specific mount
options, these plus many more are now in tests/nfs_filesystem. This only
gets run by nfs.sh.

There are two minor workarounds involving multiple mounts returning EBUSY.
These are either bugs or features.

Not tested on travis.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce
[2] https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/

To test fanotify fs watch perms on 5.4+ (will also include tests/notify):
1) Extract the base module (base.cil):
      semodule -c -E base

2) Backup, the edit the following definitions in base.cil to add watch
   permissions:

   (common file (ioctl read write ....))
Add:
   watch watch_mount watch_sb watch_with_perm watch_reads

   (class filesystem (mount remount ....))
Add:
   watch

3) Insert modified base module (inserts with default priority 400):
       semodule -i base.cil

4) Backup, then edit the following definitions in:
       /usr/share/selinux/devel/include/support/all_perms.spt

   define(`all_file_perms',`{ ioctl read write ....
Add:
   watch watch_mount watch_sb watch_with_perm watch_reads

   define(`all_dir_perms',`{ ioctl read write ....
Add:
   watch watch_mount watch_sb watch_with_perm watch_reads

   define(`all_filesystem_perms',`{ mount remount ....
Add:
   watch

5) 'make test' can now be run.

NOTE: Do NOT leave the new base.cil active after tests, as the system may
not reboot if in enforcing mode, as various watch permissions will be denied.
Revert to the original (priority 100) as follows:

semodule -r base
make clean
make -C policy unload

Finally restore the original:
/usr/share/selinux/devel/include/support/all_perms.spt


Richard Haines (2):
  selinux-testsuite: Use native filesystem for tests - Part 1
  selinux-testsuite: Use native filesystem for tests - Part 2

 README.md                            |   10 +-
 defconfig                            |    6 +
 policy/test_filesystem.te            |   93 +-
 policy/test_filesystem_name_trans.te |    6 +
 policy/test_filesystem_notify.te     |   41 +-
 tests/filesystem/.gitignore          |    1 +
 tests/filesystem/Filesystem.pm       |  114 ++-
 tests/filesystem/Makefile            |    3 +-
 tests/filesystem/test                | 1205 +++++++++++++++---------
 tests/filesystem/xfs_quotas_test.c   |   96 ++
 tests/fs_filesystem/fsmount.c        |    5 +-
 tests/fs_filesystem/test             | 1306 ++++++++++++++++----------
 tests/nfs_filesystem/test            |  359 +++++++
 tests/nfsruntests.pl                 |    5 +
 tools/nfs.sh                         |  123 ++-
 15 files changed, 2374 insertions(+), 999 deletions(-)
 create mode 100644 tests/filesystem/xfs_quotas_test.c
 create mode 100755 tests/nfs_filesystem/test
 create mode 100755 tests/nfsruntests.pl

Comments

Stephen Smalley March 11, 2020, 2:55 p.m. UTC | #1

On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> If you test on the selinux-next kernel (that has the XFS patch [1]) with
> the "NFS: Ensure security label is set for root inode" patch [2], then all
> tests should pass. Anything else will give varying amounts of fails.
>
> The filesystem types tested are: ext4, xfs, vfat and nfs4.
>
> I've revamped the nfs.sh to handle tests that require specific mount
> options, these plus many more are now in tests/nfs_filesystem. This only
> gets run by nfs.sh.

I don't really understand why you moved tests that could only be run
from nfs.sh out of it into
tests/nfs_filesystem?

>
> There are two minor workarounds involving multiple mounts returning EBUSY.
> These are either bugs or features.
>
> Not tested on travis.

travis will require you to add the new dependencies to the packages
list in .travis.yml.  You can test this yourself by
pushing a branch with your changes to your own clone on GitHub and
checking travis-ci.org for the result.

Stephen Smalley March 11, 2020, 4:02 p.m. UTC | #2

On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> If you test on the selinux-next kernel (that has the XFS patch [1]) with
> the "NFS: Ensure security label is set for root inode" patch [2], then all
> tests should pass. Anything else will give varying amounts of fails.
>
> The filesystem types tested are: ext4, xfs, vfat and nfs4.
>
> I've revamped the nfs.sh to handle tests that require specific mount
> options, these plus many more are now in tests/nfs_filesystem. This only
> gets run by nfs.sh.
>
> There are two minor workarounds involving multiple mounts returning EBUSY.
> These are either bugs or features.
>
> Not tested on travis.
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce
> [2] https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/

Even with the patches above applied, I am seeing failures during the
tests/nfs_filesystem tests:
...
filesystem/test ............. ok
fs_filesystem/test .......... ok
All tests successful.
Files=63, Tests=623, 153 wallclock secs ( 0.30 usr  0.82 sys +  2.47
cusr 41.75 csys = 45.34 CPU)
Result: PASS
make: Leaving directory '/mnt/selinux-testsuite/tests'
Run 'filesystem' tests with mount context option:
    fscontext=system_u:object_r:test_filesystem_file_t:s0
filesystem/test .. ok
All tests successful.
Files=1, Tests=30,  8 wallclock secs ( 0.03 usr  0.05 sys +  0.27 cusr
 4.88 csys =  5.23 CPU)
Result: PASS
Run 'fs_filesystem' tests with mount context option:
    fscontext=system_u:object_r:test_filesystem_file_t:s0
fs_filesystem/test .. ok
All tests successful.
Files=1, Tests=29,  9 wallclock secs ( 0.04 usr  0.05 sys +  0.26 cusr
 5.13 csys =  5.48 CPU)
Result: PASS
Run NFS context specific tests
nfs_filesystem/test .. 1/56 Failed mount(2): Permission denied

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 73.
getfilecon(3) Failed: No such file or directory

#   Failed test at nfs_filesystem/test line 79.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 84.
Failed mount(2): Permission denied
nfs_filesystem/test .. 5/56
#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 100.

#   Failed test at nfs_filesystem/test line 110.
creat(2) Failed: No such file or directory

#   Failed test at nfs_filesystem/test line 117.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 122.
Failed mount(2): Permission denied

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 149.
open(2) Failed: No such file or directory

#   Failed test at nfs_filesystem/test line 154.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 159.
Failed mount(2): Permission denied
nfs_filesystem/test .. 17/56
#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 237.

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 242.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 247.
Failed mount(2): Permission denied

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 261.

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 266.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 271.
Failed mount(2): Permission denied

#   Failed test 'Using mount(2) - got mnt_t instead of etc_t'
#   at nfs_filesystem/test line 286.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 296.
Failed mount(2): Permission denied

#   Failed test 'Using mount(2) - got mnt_t instead of etc_t'
#   at nfs_filesystem/test line 313.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 323.
Failed mount(2): Permission denied

#   Failed test 'Using mount(2) - got mnt_t instead of nfs_t'
#   at nfs_filesystem/test line 338.
Failed umount(2): Invalid argument

#   Failed test 'Using mount(2)'
#   at nfs_filesystem/test line 348.
nfs_filesystem/test .. 29/56 Failed move_mount(2): Permission denied

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 73.
getfilecon(3) Failed: No such file or directory

#   Failed test at nfs_filesystem/test line 79.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 84.
Failed move_mount(2): Permission denied

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 100.
nfs_filesystem/test .. 34/56
#   Failed test at nfs_filesystem/test line 110.
creat(2) Failed: No such file or directory

#   Failed test at nfs_filesystem/test line 117.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 122.
Failed move_mount(2): Permission denied

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 149.
open(2) Failed: No such file or directory

#   Failed test at nfs_filesystem/test line 154.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 159.
nfs_filesystem/test .. 41/56 Failed move_mount(2): Permission denied
nfs_filesystem/test .. 45/56
#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 237.

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 242.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 247.
Failed move_mount(2): Permission denied

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 261.

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 266.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 271.
Failed move_mount(2): Permission denied
nfs_filesystem/test .. 51/56
#   Failed test 'Using fsmount(2) - got mnt_t instead of etc_t'
#   at nfs_filesystem/test line 286.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 296.
Failed move_mount(2): Permission denied

#   Failed test 'Using fsmount(2) - got mnt_t instead of etc_t'
#   at nfs_filesystem/test line 313.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 323.
Failed move_mount(2): Permission denied
nfs_filesystem/test .. 55/56
#   Failed test 'Using fsmount(2) - got mnt_t instead of nfs_t'
#   at nfs_filesystem/test line 338.
Failed umount(2): Invalid argument

#   Failed test 'Using fsmount(2)'
#   at nfs_filesystem/test line 348.
# Looks like you failed 44 tests of 56.
nfs_filesystem/test .. Dubious, test returned 44 (wstat 11264, 0x2c00)
Failed 44/56 subtests

Test Summary Report
-------------------
nfs_filesystem/test (Wstat: 11264 Tests: 56 Failed: 44)
  Failed tests:  2-8, 10-12, 17-28, 30-36, 38-40, 45-56
  Non-zero exit status: 44
Files=1, Tests=56,  8 wallclock secs ( 0.04 usr  0.04 sys +  0.20 cusr
 4.63 csys =  4.91 CPU)
Result: FAIL
Failed 1/1 test programs. 44/56 subtests failed.
Error on line: 100 - Closing down NFS
umount: /mnt/selinux-testsuite: not mounted.

Richard Haines March 11, 2020, 4:54 p.m. UTC | #3

On Wed, 2020-03-11 at 12:02 -0400, Stephen Smalley wrote:
> On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > If you test on the selinux-next kernel (that has the XFS patch [1])
> > with
> > the "NFS: Ensure security label is set for root inode" patch [2],
> > then all
> > tests should pass. Anything else will give varying amounts of
> > fails.
> > 
> > The filesystem types tested are: ext4, xfs, vfat and nfs4.
> > 
> > I've revamped the nfs.sh to handle tests that require specific
> > mount
> > options, these plus many more are now in tests/nfs_filesystem. This
> > only
> > gets run by nfs.sh.
> > 
> > There are two minor workarounds involving multiple mounts returning
> > EBUSY.
> > These are either bugs or features.
> > 
> > Not tested on travis.
> > 
> > [1] 
> > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce
> > [2] 
> > https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/
> 
> Even with the patches above applied, I am seeing failures during the
> tests/nfs_filesystem tests:

Looks like my /mnt was mis-labeled. I've fixed and had to add this to
test_filesystem.te:

files_mounton_non_security(filesystemdomain)

and now works okay. Could you confirm please, then I'll resend new
patch later

> ...
> filesystem/test ............. ok
> fs_filesystem/test .......... ok
> All tests successful.
> Files=63, Tests=623, 153 wallclock secs ( 0.30 usr  0.82 sys +  2.47
> cusr 41.75 csys = 45.34 CPU)
> Result: PASS
> make: Leaving directory '/mnt/selinux-testsuite/tests'
> Run 'filesystem' tests with mount context option:
>     fscontext=system_u:object_r:test_filesystem_file_t:s0
> filesystem/test .. ok
> All tests successful.
> Files=1, Tests=30,  8 wallclock secs ( 0.03 usr  0.05 sys +  0.27
> cusr
>  4.88 csys =  5.23 CPU)
> Result: PASS
> Run 'fs_filesystem' tests with mount context option:
>     fscontext=system_u:object_r:test_filesystem_file_t:s0
> fs_filesystem/test .. ok
> All tests successful.
> Files=1, Tests=29,  9 wallclock secs ( 0.04 usr  0.05 sys +  0.26
> cusr
>  5.13 csys =  5.48 CPU)
> Result: PASS
> Run NFS context specific tests
> nfs_filesystem/test .. 1/56 Failed mount(2): Permission denied
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 73.
> getfilecon(3) Failed: No such file or directory
> 
> #   Failed test at nfs_filesystem/test line 79.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 84.
> Failed mount(2): Permission denied
> nfs_filesystem/test .. 5/56
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 100.
> 
> #   Failed test at nfs_filesystem/test line 110.
> creat(2) Failed: No such file or directory
> 
> #   Failed test at nfs_filesystem/test line 117.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 122.
> Failed mount(2): Permission denied
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 149.
> open(2) Failed: No such file or directory
> 
> #   Failed test at nfs_filesystem/test line 154.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 159.
> Failed mount(2): Permission denied
> nfs_filesystem/test .. 17/56
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 237.
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 242.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 247.
> Failed mount(2): Permission denied
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 261.
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 266.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 271.
> Failed mount(2): Permission denied
> 
> #   Failed test 'Using mount(2) - got mnt_t instead of etc_t'
> #   at nfs_filesystem/test line 286.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 296.
> Failed mount(2): Permission denied
> 
> #   Failed test 'Using mount(2) - got mnt_t instead of etc_t'
> #   at nfs_filesystem/test line 313.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 323.
> Failed mount(2): Permission denied
> 
> #   Failed test 'Using mount(2) - got mnt_t instead of nfs_t'
> #   at nfs_filesystem/test line 338.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using mount(2)'
> #   at nfs_filesystem/test line 348.
> nfs_filesystem/test .. 29/56 Failed move_mount(2): Permission denied
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 73.
> getfilecon(3) Failed: No such file or directory
> 
> #   Failed test at nfs_filesystem/test line 79.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 84.
> Failed move_mount(2): Permission denied
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 100.
> nfs_filesystem/test .. 34/56
> #   Failed test at nfs_filesystem/test line 110.
> creat(2) Failed: No such file or directory
> 
> #   Failed test at nfs_filesystem/test line 117.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 122.
> Failed move_mount(2): Permission denied
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 149.
> open(2) Failed: No such file or directory
> 
> #   Failed test at nfs_filesystem/test line 154.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 159.
> nfs_filesystem/test .. 41/56 Failed move_mount(2): Permission denied
> nfs_filesystem/test .. 45/56
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 237.
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 242.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 247.
> Failed move_mount(2): Permission denied
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 261.
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 266.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 271.
> Failed move_mount(2): Permission denied
> nfs_filesystem/test .. 51/56
> #   Failed test 'Using fsmount(2) - got mnt_t instead of etc_t'
> #   at nfs_filesystem/test line 286.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 296.
> Failed move_mount(2): Permission denied
> 
> #   Failed test 'Using fsmount(2) - got mnt_t instead of etc_t'
> #   at nfs_filesystem/test line 313.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 323.
> Failed move_mount(2): Permission denied
> nfs_filesystem/test .. 55/56
> #   Failed test 'Using fsmount(2) - got mnt_t instead of nfs_t'
> #   at nfs_filesystem/test line 338.
> Failed umount(2): Invalid argument
> 
> #   Failed test 'Using fsmount(2)'
> #   at nfs_filesystem/test line 348.
> # Looks like you failed 44 tests of 56.
> nfs_filesystem/test .. Dubious, test returned 44 (wstat 11264,
> 0x2c00)
> Failed 44/56 subtests
> 
> Test Summary Report
> -------------------
> nfs_filesystem/test (Wstat: 11264 Tests: 56 Failed: 44)
>   Failed tests:  2-8, 10-12, 17-28, 30-36, 38-40, 45-56
>   Non-zero exit status: 44
> Files=1, Tests=56,  8 wallclock secs ( 0.04 usr  0.04 sys +  0.20
> cusr
>  4.63 csys =  4.91 CPU)
> Result: FAIL
> Failed 1/1 test programs. 44/56 subtests failed.
> Error on line: 100 - Closing down NFS
> umount: /mnt/selinux-testsuite: not mounted.

Richard Haines March 11, 2020, 5:52 p.m. UTC | #4

On Wed, 2020-03-11 at 10:55 -0400, Stephen Smalley wrote:
> On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > If you test on the selinux-next kernel (that has the XFS patch [1])
> > with
> > the "NFS: Ensure security label is set for root inode" patch [2],
> > then all
> > tests should pass. Anything else will give varying amounts of
> > fails.
> > 
> > The filesystem types tested are: ext4, xfs, vfat and nfs4.
> > 
> > I've revamped the nfs.sh to handle tests that require specific
> > mount
> > options, these plus many more are now in tests/nfs_filesystem. This
> > only
> > gets run by nfs.sh.
> 
> I don't really understand why you moved tests that could only be run
> from nfs.sh out of it into
> tests/nfs_filesystem?

I only moved them as it seemed more in keeping with the testsuite.
Would you prefer them in the shell script ? I don't mind either way.

> 
> > There are two minor workarounds involving multiple mounts returning
> > EBUSY.
> > These are either bugs or features.
> > 
> > Not tested on travis.
> 
> travis will require you to add the new dependencies to the packages
> list in .travis.yml.  You can test this yourself by
> pushing a branch with your changes to your own clone on GitHub and
> checking travis-ci.org for the result.

I've added these to .travis.yml
      - xfslibs-dev
      - uuid-dev

Stephen Smalley March 11, 2020, 5:53 p.m. UTC | #5

On Wed, Mar 11, 2020 at 12:54 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> On Wed, 2020-03-11 at 12:02 -0400, Stephen Smalley wrote:
> > On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > [1]
> > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce
> > > [2]
> > > https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/
> >
> > Even with the patches above applied, I am seeing failures during the
> > tests/nfs_filesystem tests:
>
> Looks like my /mnt was mis-labeled. I've fixed and had to add this to
> test_filesystem.te:
>
> files_mounton_non_security(filesystemdomain)
>
> and now works okay. Could you confirm please, then I'll resend new
> patch later

With that change to policy and no other changes, it then fails earlier
during fs_filesystem/test as shown below even
though the kernel does have the referenced patch (and it passes if I
revert that policy change).  Also, I noticed that
as it is running the tests for filesystem and fs_filesystem, it shows
a question mark (?) as the total/planned number of tests,
suggesting a problem with the plan.

...
filesystem/test ............. ok

#   Failed test 'Failed as kernel 5.6.0 without "selinux: fix
regression introduced by move_mount(2) syscall" patch'
#   at fs_filesystem/test line 752.
# Looks like you failed 1 test of 26.
fs_filesystem/test ..........
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/26 subtests

Test Summary Report
-------------------
fs_filesystem/test        (Wstat: 256 Tests: 26 Failed: 1)
  Failed test:  22
  Non-zero exit status: 1
Files=63, Tests=623, 161 wallclock secs ( 0.33 usr  0.90 sys +  2.76
cusr 46.78 csys = 50.77 CPU)
Result: FAIL
Failed 1/63 test programs. 1/623 subtests failed.

Stephen Smalley March 11, 2020, 6:02 p.m. UTC | #6

On Wed, Mar 11, 2020 at 1:52 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> On Wed, 2020-03-11 at 10:55 -0400, Stephen Smalley wrote:
> > On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > I've revamped the nfs.sh to handle tests that require specific
> > > mount
> > > options, these plus many more are now in tests/nfs_filesystem. This
> > > only
> > > gets run by nfs.sh.
> >
> > I don't really understand why you moved tests that could only be run
> > from nfs.sh out of it into
> > tests/nfs_filesystem?
>
> I only moved them as it seemed more in keeping with the testsuite.
> Would you prefer them in the shell script ? I don't mind either way.

Previously they weren't dependent on the test policy (weren't running
in any test domain
or using any test types) and were only testing NFS labeling behavior.
I think you switched
them over to running in test domains and on test files/directories.
If we stay with the former,
then keeping them in nfs.sh makes more sense.  If we choose the
latter, then moving them as
you have done makes more sense.  Not sure about the tradeoffs here.

One thing to double check is that if you move them and there is a
failure, is that failure reported
properly and propagated up to the shell script in a way that causes
the entire test to fail.  Might be
but I haven't confirmed it.

Richard Haines March 11, 2020, 6:14 p.m. UTC | #7

On Wed, 2020-03-11 at 13:53 -0400, Stephen Smalley wrote:
> On Wed, Mar 11, 2020 at 12:54 PM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Wed, 2020-03-11 at 12:02 -0400, Stephen Smalley wrote:
> > > On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > > > [1]
> > > > https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/patch/security/selinux?id=e4cfa05e9bfe286457082477b32ecd17737bdbce
> > > > [2]
> > > > https://lore.kernel.org/selinux/20200303225837.1557210-1-smayhew@redhat.com/
> > > 
> > > Even with the patches above applied, I am seeing failures during
> > > the
> > > tests/nfs_filesystem tests:
> > 
> > Looks like my /mnt was mis-labeled. I've fixed and had to add this
> > to
> > test_filesystem.te:
> > 
> > files_mounton_non_security(filesystemdomain)
> > 
> > and now works okay. Could you confirm please, then I'll resend new
> > patch later
> 
> With that change to policy and no other changes, it then fails
> earlier
> during fs_filesystem/test as shown below even
> though the kernel does have the referenced patch (and it passes if I
> revert that policy change).  Also, I noticed that
> as it is running the tests for filesystem and fs_filesystem, it shows
> a question mark (?) as the total/planned number of tests,
> suggesting a problem with the plan.

I've tried to fix this and failed !!. It seems that because I have to
load the subroutines from Filesystem.pm before doing plan tests =>
$test_count;, it gets upset, hence the ?.

> 
> ...
> filesystem/test ............. ok
> 
> #   Failed test 'Failed as kernel 5.6.0 without "selinux: fix
> regression introduced by move_mount(2) syscall" patch'
> #   at fs_filesystem/test line 752.
> # Looks like you failed 1 test of 26.
> fs_filesystem/test ..........
> Dubious, test returned 1 (wstat 256, 0x100)
> Failed 1/26 subtests

Looks like this is too open. I'll fix later
files_mounton_non_security(filesystemdomain)

> 
> Test Summary Report
> -------------------
> fs_filesystem/test        (Wstat: 256 Tests: 26 Failed: 1)
>   Failed test:  22
>   Non-zero exit status: 1
> Files=63, Tests=623, 161 wallclock secs ( 0.33 usr  0.90 sys +  2.76
> cusr 46.78 csys = 50.77 CPU)
> Result: FAIL
> Failed 1/63 test programs. 1/623 subtests failed.

Richard Haines March 11, 2020, 9:09 p.m. UTC | #8

On Wed, 2020-03-11 at 14:02 -0400, Stephen Smalley wrote:
> On Wed, Mar 11, 2020 at 1:52 PM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Wed, 2020-03-11 at 10:55 -0400, Stephen Smalley wrote:
> > > On Tue, Mar 10, 2020 at 12:25 PM Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > > > I've revamped the nfs.sh to handle tests that require specific
> > > > mount
> > > > options, these plus many more are now in tests/nfs_filesystem.
> > > > This
> > > > only
> > > > gets run by nfs.sh.
> > > 
> > > I don't really understand why you moved tests that could only be
> > > run
> > > from nfs.sh out of it into
> > > tests/nfs_filesystem?
> > 
> > I only moved them as it seemed more in keeping with the testsuite.
> > Would you prefer them in the shell script ? I don't mind either
> > way.
> 
> Previously they weren't dependent on the test policy (weren't running
> in any test domain
> or using any test types) and were only testing NFS labeling behavior.
> I think you switched
> them over to running in test domains and on test files/directories.
> If we stay with the former,
> then keeping them in nfs.sh makes more sense.  If we choose the
> latter, then moving them as
> you have done makes more sense.  Not sure about the tradeoffs here.

I'll leave as is for now and see how it goes.
> 
> One thing to double check is that if you move them and there is a
> failure, is that failure reported
> properly and propagated up to the shell script in a way that causes
> the entire test to fail.  Might be
> but I haven't confirmed it.

It does now. I've fixed all the highlighted problems now. Will send new
patch set tomorrow. Thanks for feedback.