| Message ID | 20200123193415.34022-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | testsuite/policy: fixes for running on a labeled NFS mount | expand |
On 1/23/20 2:34 PM, Stephen Smalley wrote: > When running the testsuite on a labeled NFS mount, certain > additional permissions are required for nfsd and its kernel threads > and for the nfs_t filesystem. Allow them to avoid unnecessary > failures on NFS. Also declare test_setfscreatecon_newcon_t as a > files_type() to ensure that it can be accessed as expected by > unconfined domains; otherwise, cleanup and repeated runs are not > guaranteed to work. Saw denials for unconfined_t and kernel_t on > test_fscreatecon_newcon_t when running over labeled NFS, but > at least the unconfined_t access was possible even for running > locally. > > With these changes, all of the "filesystem" tests pass on a labeled NFS > mount. > > Certain test cases are still expected to fail over NFS; see > https://github.com/SELinuxProject/selinux-testsuite/issues/32 > for more details. > > Test sequence for labeled NFS is: > $ cat nfs.sh > MOUNT=/home # must be a top-level mount > TESTDIR=$MOUNT/path/to/selinux-testsuite > exportfs -orw,no_root_squash,security_label localhost:$MOUNT > systemctl start nfs-server > mkdir -p /mnt/selinux-testsuite > mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite > pushd /mnt/selinux-testsuite > make test > popd > umount /mnt/selinux-testsuite > exportfs -u localhost:$MOUNT > systemctl stop nfs-server > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > policy/test_filesystem.te | 8 ++++++++ > policy/test_sctp.te | 18 ++++++++++++++++++ > 2 files changed, 26 insertions(+) I went ahead and applied this. Further policy changes will be needed to support testing on labeled NFS once more of the filesystem and/or fs_filesystem tests are migrated to running in the host/native filesystem rather than within the ext4 mount created by the test itself. I'd like to get to the point where we can fully run the testsuite on labeled NFS, which will require making some other tests conditional on filesystem type. Then hopefully those who are running the testsuite automatically could also add the above nfs.sh script or something similar to their test harness and start exercising labeled NFS on a regular basis to catch regressions.
On 1/29/20 1:44 PM, Stephen Smalley wrote: > On 1/23/20 2:34 PM, Stephen Smalley wrote: >> When running the testsuite on a labeled NFS mount, certain >> additional permissions are required for nfsd and its kernel threads >> and for the nfs_t filesystem. Allow them to avoid unnecessary >> failures on NFS. Also declare test_setfscreatecon_newcon_t as a >> files_type() to ensure that it can be accessed as expected by >> unconfined domains; otherwise, cleanup and repeated runs are not >> guaranteed to work. Saw denials for unconfined_t and kernel_t on >> test_fscreatecon_newcon_t when running over labeled NFS, but >> at least the unconfined_t access was possible even for running >> locally. >> >> With these changes, all of the "filesystem" tests pass on a labeled NFS >> mount. >> >> Certain test cases are still expected to fail over NFS; see >> https://github.com/SELinuxProject/selinux-testsuite/issues/32 >> for more details. >> >> Test sequence for labeled NFS is: >> $ cat nfs.sh >> MOUNT=/home # must be a top-level mount >> TESTDIR=$MOUNT/path/to/selinux-testsuite >> exportfs -orw,no_root_squash,security_label localhost:$MOUNT >> systemctl start nfs-server >> mkdir -p /mnt/selinux-testsuite >> mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite >> pushd /mnt/selinux-testsuite >> make test >> popd >> umount /mnt/selinux-testsuite >> exportfs -u localhost:$MOUNT >> systemctl stop nfs-server >> >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> >> --- >> policy/test_filesystem.te | 8 ++++++++ >> policy/test_sctp.te | 18 ++++++++++++++++++ >> 2 files changed, 26 insertions(+) > > I went ahead and applied this. Further policy changes will be needed to > support testing on labeled NFS once more of the filesystem and/or > fs_filesystem tests are migrated to running in the host/native > filesystem rather than within the ext4 mount created by the test itself. > I'd like to get to the point where we can fully run the testsuite on > labeled NFS, which will require making some other tests conditional on > filesystem type. Then hopefully those who are running the testsuite > automatically could also add the above nfs.sh script or something > similar to their test harness and start exercising labeled NFS on a > regular basis to catch regressions. Looks like my sample nfs.sh script above isn't quite right; need to start nfs-server before the exportfs.
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index a029a1b34404..c3c944affad4 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -41,6 +41,9 @@ files_search_all(test_filesystem_t) fs_associate(test_filesystem_file_t) fs_getattr_xattr_fs(test_filesystem_t) +# Required when running the tests on a labeled NFS mount. +fs_getattr_nfs(test_filesystem_t) + # Update quotas fs_set_all_quotas(test_filesystem_t) allow test_filesystem_t test_filesystem_file_t:file { quotaon }; @@ -303,10 +306,15 @@ allow test_setfscreatecon_t test_file_t:dir { add_name write remove_name }; # Set new context on fs: type test_setfscreatecon_newcon_t; +files_type(test_setfscreatecon_newcon_t) unconfined_runs_test(test_setfscreatecon_newcon_t) fs_associate(test_setfscreatecon_newcon_t) allow test_setfscreatecon_t test_setfscreatecon_newcon_t:dir { create getattr rmdir }; +# Permit creation of the new file in a NFS filesystem. +# This is required when running the testsuite on a labeled NFS mount. +allow test_setfscreatecon_newcon_t nfs_t:filesystem associate; + ################# deny process { setfscreate } ############# type test_no_setfscreatecon_t; domain_type(test_no_setfscreatecon_t) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index aedd3a01ba66..df8606ec7a35 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -12,6 +12,15 @@ type netlabel_sctp_peer_t; corenet_in_generic_node(netlabel_sctp_peer_t) corenet_in_generic_if(netlabel_sctp_peer_t) +# Permit nfsd and its kernel threads to receive these packets. +# This is required when running the testsuite on a labeled NFS mount. +gen_require(` + type kernel_t; + type nfsd_t; +') +allow kernel_t netlabel_sctp_peer_t:peer recv; +allow nfsd_t netlabel_sctp_peer_t:peer recv; + # Default label for CIPSO/CALIPSO: gen_require(` type netlabel_peer_t; @@ -89,6 +98,15 @@ allow test_sctp_client_t deny_assoc_sctp_peer_t:peer {recv }; corenet_inout_generic_node(deny_assoc_sctp_peer_t) corenet_inout_generic_if(deny_assoc_sctp_peer_t) +# Permit nfsd and its kernel threads to receive these packets. +# This is required when running the testsuite on a labeled NFS mount. +gen_require(` + type kernel_t; + type nfsd_t; +') +allow kernel_t deny_assoc_sctp_peer_t:peer recv; +allow nfsd_t deny_assoc_sctp_peer_t:peer recv; + # ############################# Connectx ################################# #
When running the testsuite on a labeled NFS mount, certain additional permissions are required for nfsd and its kernel threads and for the nfs_t filesystem. Allow them to avoid unnecessary failures on NFS. Also declare test_setfscreatecon_newcon_t as a files_type() to ensure that it can be accessed as expected by unconfined domains; otherwise, cleanup and repeated runs are not guaranteed to work. Saw denials for unconfined_t and kernel_t on test_fscreatecon_newcon_t when running over labeled NFS, but at least the unconfined_t access was possible even for running locally. With these changes, all of the "filesystem" tests pass on a labeled NFS mount. Certain test cases are still expected to fail over NFS; see https://github.com/SELinuxProject/selinux-testsuite/issues/32 for more details. Test sequence for labeled NFS is: $ cat nfs.sh MOUNT=/home # must be a top-level mount TESTDIR=$MOUNT/path/to/selinux-testsuite exportfs -orw,no_root_squash,security_label localhost:$MOUNT systemctl start nfs-server mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite exportfs -u localhost:$TESTDIR systemctl stop nfs-server Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policy/test_filesystem.te | 8 ++++++++ policy/test_sctp.te | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+)