diff mbox series

[v2,1/2] tools/nfs.sh: comment out the fscontext= tests for now

Message ID 20240529140306.6663-1-stephen.smalley.work@gmail.com (mailing list archive)
State Superseded
Delegated to: Ondrej Mosnáček
Headers show
Series [v2,1/2] tools/nfs.sh: comment out the fscontext= tests for now | expand

Commit Message

Stephen Smalley May 29, 2024, 2:03 p.m. UTC 
These tests currently fail on mount(2) calls due to the directory being
unlabeled at the point where search access is checked. Until we can resolve
the underlying issue, comment out these tests to allow the NFS tests to
be run. It is unclear that these tests ever passed and retaining them
prevents enabling the NFS tests in automated testing.

Before:
Run 'filesystem' tests with mount context option:
	fscontext=system_u:object_r:test_filesystem_file_t:s0
filesystem/test .. 1/41 Failed mount(2): Permission denied

#   Failed test at filesystem/test line 709.
Failed umount(2): Permission denied

#   Failed test at filesystem/test line 720.
Failed mount(2): Permission denied

#   Failed test at filesystem/test line 744.
Failed umount(2): Permission denied

#   Failed test at filesystem/test line 756.
Failed mount(2): Permission denied

#   Failed test at filesystem/test line 780.
Failed umount(2): No such file or directory

#   Failed test at filesystem/test line 793.
Failed mount(2): Permission denied

#   Failed test at filesystem/test line 851.
Failed umount(2): Permission denied

#   Failed test at filesystem/test line 863.
Failed mount(2): Permission denied

#   Failed test at filesystem/test line 887.
Failed umount(2): Permission denied

#   Failed test at filesystem/test line 899.
Failed mount(2): Permission denied

#   Failed test at filesystem/test line 923.
Failed umount(2): Permission denied

#   Failed test at filesystem/test line 935.

#   Failed test at filesystem/test line 978.
# Looks like you failed 13 tests of 41.
filesystem/test .. Dubious, test returned 13 (wstat 3328, 0xd00)
Failed 13/41 subtests

Test Summary Report
-------------------
filesystem/test (Wstat: 3328 (exited 13) Tests: 41 Failed: 13)
  Failed tests:  23, 25-26, 28-29, 31-32, 34-35, 37-38, 40-41
  Non-zero exit status: 13
Files=1, Tests=41,  1 wallclock secs ( 0.02 usr  0.00 sys +  0.22 cusr  0.36 csys =  0.60 CPU)
Result: FAIL
Failed 1/1 test programs. 13/41 subtests failed.
Test failed on line: 85 - Closing down NFS
NFS Closed down

$ sudo ausearch -m AVC -ts recent | grep unlabeled
type=AVC msg=audit(1716989714.176:42466): avc:  denied  { search } for  pid=170755 comm="mount" name="mntpoint" dev="0:60" ino=822109802 scontext=unconfined_u:unconfined_r:test_filesystem_no_watch_mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

After:
No failing tests.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 tools/nfs.sh | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

Comments

Paul Moore May 29, 2024, 3:27 p.m. UTC | #1 
On Wed, May 29, 2024 at 10:04 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> These tests currently fail on mount(2) calls due to the directory being
> unlabeled at the point where search access is checked. Until we can resolve
> the underlying issue, comment out these tests to allow the NFS tests to
> be run. It is unclear that these tests ever passed and retaining them
> prevents enabling the NFS tests in automated testing.
>
> Before:
> Run 'filesystem' tests with mount context option:
>         fscontext=system_u:object_r:test_filesystem_file_t:s0
> filesystem/test .. 1/41 Failed mount(2): Permission denied
>
> #   Failed test at filesystem/test line 709.
> Failed umount(2): Permission denied
>
> #   Failed test at filesystem/test line 720.
> Failed mount(2): Permission denied
>
> #   Failed test at filesystem/test line 744.
> Failed umount(2): Permission denied
>
> #   Failed test at filesystem/test line 756.
> Failed mount(2): Permission denied
>
> #   Failed test at filesystem/test line 780.
> Failed umount(2): No such file or directory
>
> #   Failed test at filesystem/test line 793.
> Failed mount(2): Permission denied
>
> #   Failed test at filesystem/test line 851.
> Failed umount(2): Permission denied
>
> #   Failed test at filesystem/test line 863.
> Failed mount(2): Permission denied
>
> #   Failed test at filesystem/test line 887.
> Failed umount(2): Permission denied
>
> #   Failed test at filesystem/test line 899.
> Failed mount(2): Permission denied
>
> #   Failed test at filesystem/test line 923.
> Failed umount(2): Permission denied
>
> #   Failed test at filesystem/test line 935.
>
> #   Failed test at filesystem/test line 978.
> # Looks like you failed 13 tests of 41.
> filesystem/test .. Dubious, test returned 13 (wstat 3328, 0xd00)
> Failed 13/41 subtests
>
> Test Summary Report
> -------------------
> filesystem/test (Wstat: 3328 (exited 13) Tests: 41 Failed: 13)
>   Failed tests:  23, 25-26, 28-29, 31-32, 34-35, 37-38, 40-41
>   Non-zero exit status: 13
> Files=1, Tests=41,  1 wallclock secs ( 0.02 usr  0.00 sys +  0.22 cusr  0.36 csys =  0.60 CPU)
> Result: FAIL
> Failed 1/1 test programs. 13/41 subtests failed.
> Test failed on line: 85 - Closing down NFS
> NFS Closed down
>
> $ sudo ausearch -m AVC -ts recent | grep unlabeled
> type=AVC msg=audit(1716989714.176:42466): avc:  denied  { search } for  pid=170755 comm="mount" name="mntpoint" dev="0:60" ino=822109802 scontext=unconfined_u:unconfined_r:test_filesystem_no_watch_mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
>
> After:
> No failing tests.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  tools/nfs.sh | 40 ++++++++++++++++++++--------------------
>  1 file changed, 20 insertions(+), 20 deletions(-)
>
> diff --git a/tools/nfs.sh b/tools/nfs.sh
> index cf4912c..688903e 100755
> --- a/tools/nfs.sh
> +++ b/tools/nfs.sh
> @@ -77,27 +77,27 @@ POPD=0
>  popd >/dev/null 2>&1
>  umount /mnt/selinux-testsuite
>  #
> -echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
> -mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> -pushd /mnt/selinux-testsuite >/dev/null 2>&1
> -POPD=1
> -cd tests
> -./nfsruntests.pl filesystem/test
> -cd ../
> -POPD=0
> -popd >/dev/null 2>&1
> -umount /mnt/selinux-testsuite
> +#echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
> +#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> +#pushd /mnt/selinux-testsuite >/dev/null 2>&1
> +#POPD=1
> +#cd tests
> +#./nfsruntests.pl filesystem/test
> +#cd ../
> +#POPD=0
> +#popd >/dev/null 2>&1
> +#umount /mnt/selinux-testsuite
>  #
> -echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
> -mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> -pushd /mnt/selinux-testsuite >/dev/null 2>&1
> -POPD=1
> -cd tests
> -./nfsruntests.pl fs_filesystem/test
> -cd ../
> -POPD=0
> -popd >/dev/null 2>&1
> -umount /mnt/selinux-testsuite
> +#echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
> +#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> +#pushd /mnt/selinux-testsuite >/dev/null 2>&1
> +#POPD=1
> +#cd tests
> +#./nfsruntests.pl fs_filesystem/test
> +#cd ../
> +#POPD=0
> +#popd >/dev/null 2>&1
> +#umount /mnt/selinux-testsuite
>  #

Thanks for the additional info in the patch description.  I think this
change is fine, although I have a slight preference to simply removing
the dead code rather than commenting it out (a small comment can be
inserted referencing the change if that helps), but ultimately I'll
leave that decision to Ondrej as he has been really driving
maintenance of the selinux-testsuite for the past several years.
However, Ondrej hasn't been responding much on-list lately so it is
possible he is away for a bit; if that is the case I would say to go
ahead with what you have and we can always adjust as needed later.

Regardless, thanks for spending the time on getting the NFS tests
working.  I wonder if this is something we could get working in the GH
Actions CI using NFS over loopback?

>  echo "Run NFS context specific tests"
>  cd tests
> --
> 2.40.1
Stephen Smalley May 30, 2024, 11:57 a.m. UTC | #2 
On Wed, May 29, 2024 at 11:27 AM Paul Moore <paul@paul-moore.com> wrote:
> Thanks for the additional info in the patch description.  I think this
> change is fine, although I have a slight preference to simply removing
> the dead code rather than commenting it out (a small comment can be
> inserted referencing the change if that helps), but ultimately I'll
> leave that decision to Ondrej as he has been really driving
> maintenance of the selinux-testsuite for the past several years.
> However, Ondrej hasn't been responding much on-list lately so it is
> possible he is away for a bit; if that is the case I would say to go
> ahead with what you have and we can always adjust as needed later.
>
> Regardless, thanks for spending the time on getting the NFS tests
> working.  I wonder if this is something we could get working in the GH
> Actions CI using NFS over loopback?

Yes, that should be trivial - just need to ensure that it installs the
additional dependencies identified in the README.md for testing NFS
and runs ./tools/nfs.sh, which starts the nfs server, exports to
localhost, mounts it, and runs the tests.
Ondrej Mosnacek May 30, 2024, 1:40 p.m. UTC | #3 
On Wed, May 29, 2024 at 5:27 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Wed, May 29, 2024 at 10:04 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > These tests currently fail on mount(2) calls due to the directory being
> > unlabeled at the point where search access is checked. Until we can resolve
> > the underlying issue, comment out these tests to allow the NFS tests to
> > be run. It is unclear that these tests ever passed and retaining them
> > prevents enabling the NFS tests in automated testing.
> >
> > Before:
> > Run 'filesystem' tests with mount context option:
> >         fscontext=system_u:object_r:test_filesystem_file_t:s0
> > filesystem/test .. 1/41 Failed mount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 709.
> > Failed umount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 720.
> > Failed mount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 744.
> > Failed umount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 756.
> > Failed mount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 780.
> > Failed umount(2): No such file or directory
> >
> > #   Failed test at filesystem/test line 793.
> > Failed mount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 851.
> > Failed umount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 863.
> > Failed mount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 887.
> > Failed umount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 899.
> > Failed mount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 923.
> > Failed umount(2): Permission denied
> >
> > #   Failed test at filesystem/test line 935.
> >
> > #   Failed test at filesystem/test line 978.
> > # Looks like you failed 13 tests of 41.
> > filesystem/test .. Dubious, test returned 13 (wstat 3328, 0xd00)
> > Failed 13/41 subtests
> >
> > Test Summary Report
> > -------------------
> > filesystem/test (Wstat: 3328 (exited 13) Tests: 41 Failed: 13)
> >   Failed tests:  23, 25-26, 28-29, 31-32, 34-35, 37-38, 40-41
> >   Non-zero exit status: 13
> > Files=1, Tests=41,  1 wallclock secs ( 0.02 usr  0.00 sys +  0.22 cusr  0.36 csys =  0.60 CPU)
> > Result: FAIL
> > Failed 1/1 test programs. 13/41 subtests failed.
> > Test failed on line: 85 - Closing down NFS
> > NFS Closed down
> >
> > $ sudo ausearch -m AVC -ts recent | grep unlabeled
> > type=AVC msg=audit(1716989714.176:42466): avc:  denied  { search } for  pid=170755 comm="mount" name="mntpoint" dev="0:60" ino=822109802 scontext=unconfined_u:unconfined_r:test_filesystem_no_watch_mount_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
> >
> > After:
> > No failing tests.
> >
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > ---
> >  tools/nfs.sh | 40 ++++++++++++++++++++--------------------
> >  1 file changed, 20 insertions(+), 20 deletions(-)
> >
> > diff --git a/tools/nfs.sh b/tools/nfs.sh
> > index cf4912c..688903e 100755
> > --- a/tools/nfs.sh
> > +++ b/tools/nfs.sh
> > @@ -77,27 +77,27 @@ POPD=0
> >  popd >/dev/null 2>&1
> >  umount /mnt/selinux-testsuite
> >  #
> > -echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
> > -mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > -pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > -POPD=1
> > -cd tests
> > -./nfsruntests.pl filesystem/test
> > -cd ../
> > -POPD=0
> > -popd >/dev/null 2>&1
> > -umount /mnt/selinux-testsuite
> > +#echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
> > +#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > +#pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > +#POPD=1
> > +#cd tests
> > +#./nfsruntests.pl filesystem/test
> > +#cd ../
> > +#POPD=0
> > +#popd >/dev/null 2>&1
> > +#umount /mnt/selinux-testsuite
> >  #
> > -echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
> > -mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > -pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > -POPD=1
> > -cd tests
> > -./nfsruntests.pl fs_filesystem/test
> > -cd ../
> > -POPD=0
> > -popd >/dev/null 2>&1
> > -umount /mnt/selinux-testsuite
> > +#echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
> > +#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
> > +#pushd /mnt/selinux-testsuite >/dev/null 2>&1
> > +#POPD=1
> > +#cd tests
> > +#./nfsruntests.pl fs_filesystem/test
> > +#cd ../
> > +#POPD=0
> > +#popd >/dev/null 2>&1
> > +#umount /mnt/selinux-testsuite
> >  #
>
> Thanks for the additional info in the patch description.  I think this
> change is fine, although I have a slight preference to simply removing
> the dead code rather than commenting it out (a small comment can be
> inserted referencing the change if that helps), but ultimately I'll
> leave that decision to Ondrej as he has been really driving
> maintenance of the selinux-testsuite for the past several years.
> However, Ondrej hasn't been responding much on-list lately so it is
> possible he is away for a bit; if that is the case I would say to go
> ahead with what you have and we can always adjust as needed later.

Yes, I was on a 2-week vacation ending tuesday (I should have set up
an auto-reply, but forgot, sorry...).

I'm fine with the patches, although I would prefer that a comment is
added before the commented-out code that explains why it is
commented-out (can be taken from the log message), ideally with a link
to an issue tracker or ML thread(s) so that future readers have a
chance to figure out if the issue has been already fixed or not.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
diff mbox series

Patch

diff --git a/tools/nfs.sh b/tools/nfs.sh
index cf4912c..688903e 100755
--- a/tools/nfs.sh
+++ b/tools/nfs.sh
@@ -77,27 +77,27 @@  POPD=0
 popd >/dev/null 2>&1
 umount /mnt/selinux-testsuite
 #
-echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
-mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
-pushd /mnt/selinux-testsuite >/dev/null 2>&1
-POPD=1
-cd tests
-./nfsruntests.pl filesystem/test
-cd ../
-POPD=0
-popd >/dev/null 2>&1
-umount /mnt/selinux-testsuite
+#echo -e "Run 'filesystem' tests with mount context option:\n\t$FS_CTX"
+#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
+#pushd /mnt/selinux-testsuite >/dev/null 2>&1
+#POPD=1
+#cd tests
+#./nfsruntests.pl filesystem/test
+#cd ../
+#POPD=0
+#popd >/dev/null 2>&1
+#umount /mnt/selinux-testsuite
 #
-echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
-mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
-pushd /mnt/selinux-testsuite >/dev/null 2>&1
-POPD=1
-cd tests
-./nfsruntests.pl fs_filesystem/test
-cd ../
-POPD=0
-popd >/dev/null 2>&1
-umount /mnt/selinux-testsuite
+#echo -e "Run 'fs_filesystem' tests with mount context option:\n\t$FS_CTX"
+#mount -t nfs -o vers=4.2,$FS_CTX localhost:$TESTDIR /mnt/selinux-testsuite
+#pushd /mnt/selinux-testsuite >/dev/null 2>&1
+#POPD=1
+#cd tests
+#./nfsruntests.pl fs_filesystem/test
+#cd ../
+#POPD=0
+#popd >/dev/null 2>&1
+#umount /mnt/selinux-testsuite
 #
 echo "Run NFS context specific tests"
 cd tests