testsuite: enable running over labeled NFS

Message ID	20200129202922.88027-1-sds@tycho.nsa.gov (mailing list archive)
State	Accepted
Headers	show Return-Path: <SRS0=m98w=3S=vger.kernel.org=selinux-owner@kernel.org> IronPort-PHdr: 9a23:p7wQkh1MMYV28elKsmDT+DRfVm0co7zxezQtwd8ZsesWKP3xwZ3uMQTl6Ol3ixeRBMOHsq4C0LSd6vu7ESxYuNDd6StEKMQNHzY+yuwu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9Kev6AJPdgNqq3O6u5ZLTfx9IhD2gar9uMRm6twrcutQZjId4JKs8yxTFrmZGdulY2GhkIU6fkwvm6sq/4ZJu/T5ct+49+8JFTK73Y7k2QbtEATo8Lms7/tfrtR7NTQuO4nsTTGAbmQdWDgbG8R/3QI7/vjP1ueRh1iaaO9b2Ta0vVjS586hrUh7ohzwZODM/7Wral9Z/jKNfoBKmuhx/34vZa5ybOfZiYq/Qe84RSmRbXsZVSidPHIWyYYUSBOYFJOpVoY3wq14IoBCjBwejGfnvxydIiHHowKM03ecvHwbJ0wIvBN8CrHfZoc/pOKoITey50K/FxijDYfNM3jf97ZDFfA09of6SRbJwcdTeyU8yHA3Yi1Wfs4jlPzeL2eUNrmOW6PFgWv+0i2M8twFwoiSgxscrioXTgIIV0UrL+T92wIYyO921UUh2asOqHptXsiGVLYp2QsU6TmFnuSY61r0GuYOgcyQQ1JsnwBvfZvqaeIaL+hLuTPudLDh3iX5/eL+zmgy+/Vavx+HiTMW4zVBHpTdfnNbWrHACzRnT59CCSvt640iuxy6C1xvW6uFYOUA0krfbK4I5zr4wiJUTtUPDEzfqmErslq+Wd1gk+vOy5+TmZLXmqJicN5RqhQ7iKKguhsy+Dvg4MggJRWSb//iz1Kb/8kHjRbVKj/k2nrHYsJDcO8sbura0DxJa34ss8RqyDyqq3M4GkXQIMl5JYg+Lg5DsO17UIfD4Cfm/g06rkDdu3/3GJaDuAo7WI3jfkLbuYbZ960lGxAo11tBQ/YhYCr4GIPLtQkPxrsDXDgclMwyoxObqEM991oICVmKPGKCZKr7dvkeU6e03I+mDfo4VuDDjJPg+/PPhlmM5mV4bfam1w5QXcna4Eep6I0mDfXXshdIBG38QvgUiVOzqlEGCUTlLana1WqI84So7CIS8AojfWI+gm6aB0zmmEZ1WfG9GFkqAHmvvd4WBQ/0Mcj6dItd9kjwYUrisU5Qh2g+qtA/7zbpnM+XV9zYGtZLsytd1/ffflRIs+jxuCcSSzWWNQ3tznmMSSD88xLp/rlBlylefzah4hORVFcRJ6PNUVgc3LobcwPZnC9D2Qw7Be9CJSFG8Qtq4Gz0+UtUxw9pdK3p6Ts2rkxTrxyO3B/oQkLuRCdo/9aeP8WL2IpNG13ve1KQnx2IjS89LOHzu0rVz7CDPFoXJlAOfjK/seqMCin2evFyfxHaD6RkLGDV7Vr/ICDVEN0Y= From: Stephen Smalley <sds@tycho.nsa.gov> To: paul@paul-moore.com Cc: selinux@vger.kernel.org, omosnace@redhat.com, richard_c_haines@btinternet.com, Stephen Smalley <sds@tycho.nsa.gov> Subject: [PATCH] testsuite: enable running over labeled NFS Date: Wed, 29 Jan 2020 15:29:22 -0500 Message-Id: <20200129202922.88027-1-sds@tycho.nsa.gov> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	testsuite: enable running over labeled NFS \| expand testsuite: enable running over labeled NFS

Message ID

20200129202922.88027-1-sds@tycho.nsa.gov (mailing list archive)

State

Accepted

Headers

IronPort-PHdr: 
 9a23:p7wQkh1MMYV28elKsmDT+DRfVm0co7zxezQtwd8ZsesWKP3xwZ3uMQTl6Ol3ixeRBMOHsq4C0LSd6vu7ESxYuNDd6StEKMQNHzY+yuwu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9Kev6AJPdgNqq3O6u5ZLTfx9IhD2gar9uMRm6twrcutQZjId4JKs8yxTFrmZGdulY2GhkIU6fkwvm6sq/4ZJu/T5ct+49+8JFTK73Y7k2QbtEATo8Lms7/tfrtR7NTQuO4nsTTGAbmQdWDgbG8R/3QI7/vjP1ueRh1iaaO9b2Ta0vVjS586hrUh7ohzwZODM/7Wral9Z/jKNfoBKmuhx/34vZa5ybOfZiYq/Qe84RSmRbXsZVSidPHIWyYYUSBOYFJOpVoY3wq14IoBCjBwejGfnvxydIiHHowKM03ecvHwbJ0wIvBN8CrHfZoc/pOKoITey50K/FxijDYfNM3jf97ZDFfA09of6SRbJwcdTeyU8yHA3Yi1Wfs4jlPzeL2eUNrmOW6PFgWv+0i2M8twFwoiSgxscrioXTgIIV0UrL+T92wIYyO921UUh2asOqHptXsiGVLYp2QsU6TmFnuSY61r0GuYOgcyQQ1JsnwBvfZvqaeIaL+hLuTPudLDh3iX5/eL+zmgy+/Vavx+HiTMW4zVBHpTdfnNbWrHACzRnT59CCSvt640iuxy6C1xvW6uFYOUA0krfbK4I5zr4wiJUTtUPDEzfqmErslq+Wd1gk+vOy5+TmZLXmqJicN5RqhQ7iKKguhsy+Dvg4MggJRWSb//iz1Kb/8kHjRbVKj/k2nrHYsJDcO8sbura0DxJa34ss8RqyDyqq3M4GkXQIMl5JYg+Lg5DsO17UIfD4Cfm/g06rkDdu3/3GJaDuAo7WI3jfkLbuYbZ960lGxAo11tBQ/YhYCr4GIPLtQkPxrsDXDgclMwyoxObqEM991oICVmKPGKCZKr7dvkeU6e03I+mDfo4VuDDjJPg+/PPhlmM5mV4bfam1w5QXcna4Eep6I0mDfXXshdIBG38QvgUiVOzqlEGCUTlLana1WqI84So7CIS8AojfWI+gm6aB0zmmEZ1WfG9GFkqAHmvvd4WBQ/0Mcj6dItd9kjwYUrisU5Qh2g+qtA/7zbpnM+XV9zYGtZLsytd1/ffflRIs+jxuCcSSzWWNQ3tznmMSSD88xLp/rlBlylefzah4hORVFcRJ6PNUVgc3LobcwPZnC9D2Qw7Be9CJSFG8Qtq4Gz0+UtUxw9pdK3p6Ts2rkxTrxyO3B/oQkLuRCdo/9aeP8WL2IpNG13ve1KQnx2IjS89LOHzu0rVz7CDPFoXJlAOfjK/seqMCin2evFyfxHaD6RkLGDV7Vr/ICDVEN0Y=
From: Stephen Smalley <sds@tycho.nsa.gov>
To: paul@paul-moore.com
Cc: selinux@vger.kernel.org, omosnace@redhat.com,
        richard_c_haines@btinternet.com,
        Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH] testsuite: enable running over labeled NFS
Date: Wed, 29 Jan 2020 15:29:22 -0500
Message-Id: <20200129202922.88027-1-sds@tycho.nsa.gov>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

testsuite: enable running over labeled NFS | expand

Commit Message

Stephen Smalley Jan. 29, 2020, 8:29 p.m. UTC

Certain tests cannot succeed on nfs and therefore should
be skipped in that case.  This allows the testsuite to
be run on a labeled NFS mount as described below without
triggering any (additional) failures relative to running
on a local filesystem like ext4.

The tests that are skipped or modified and the corresponding rationale is:
file: 1 test skipped - flock not supported over NFS
capable_file: all tests skipped - file capabilities not supported over NFS
capable_sys: 1 test skipped - CAP_SYS_RAWIO not supported over NFS
overlay: all tests skipped - NFS not supported as an upperdir
mac_admin: one test modified - undefined contexts not exported over NFS

This partly addresses
https://github.com/SELinuxProject/selinux-testsuite/issues/32.

Test sequence for labeled NFS is:
$ cat nfs.sh
MOUNT=/home # must be a top-level mount
TESTDIR=$MOUNT/path/to/selinux-testsuite
systemctl start nfs-server
exportfs -orw,no_root_squash,security_label localhost:$MOUNT
mkdir -p /mnt/selinux-testsuite
mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
pushd /mnt/selinux-testsuite
make test
popd
umount /mnt/selinux-testsuite
exportfs -u localhost:$MOUNT
systemctl stop nfs-server

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 tests/capable_file/test | 28 +++++++++++++++++++---------
 tests/capable_sys/test  | 32 +++++++++++++++++++++++---------
 tests/file/test         | 22 +++++++++++++++++-----
 tests/mac_admin/test    | 18 ++++++++++++++----
 tests/overlay/test      | 11 ++++++++---
 5 files changed, 81 insertions(+), 30 deletions(-)

Comments

Stephen Smalley Feb. 5, 2020, 5:09 p.m. UTC | #1

On 1/29/20 3:29 PM, Stephen Smalley wrote:
> Certain tests cannot succeed on nfs and therefore should
> be skipped in that case.  This allows the testsuite to
> be run on a labeled NFS mount as described below without
> triggering any (additional) failures relative to running
> on a local filesystem like ext4.
> 
> The tests that are skipped or modified and the corresponding rationale is:
> file: 1 test skipped - flock not supported over NFS
> capable_file: all tests skipped - file capabilities not supported over NFS
> capable_sys: 1 test skipped - CAP_SYS_RAWIO not supported over NFS
> overlay: all tests skipped - NFS not supported as an upperdir
> mac_admin: one test modified - undefined contexts not exported over NFS
> 
> This partly addresses
> https://github.com/SELinuxProject/selinux-testsuite/issues/32.
> 
> Test sequence for labeled NFS is:
> $ cat nfs.sh
> MOUNT=/home # must be a top-level mount
> TESTDIR=$MOUNT/path/to/selinux-testsuite
> systemctl start nfs-server
> exportfs -orw,no_root_squash,security_label localhost:$MOUNT
> mkdir -p /mnt/selinux-testsuite
> mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
> pushd /mnt/selinux-testsuite
> make test
> popd
> umount /mnt/selinux-testsuite
> exportfs -u localhost:$MOUNT
> systemctl stop nfs-server
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This is now applied.

> ---
>   tests/capable_file/test | 28 +++++++++++++++++++---------
>   tests/capable_sys/test  | 32 +++++++++++++++++++++++---------
>   tests/file/test         | 22 +++++++++++++++++-----
>   tests/mac_admin/test    | 18 ++++++++++++++----
>   tests/overlay/test      | 11 ++++++++---
>   5 files changed, 81 insertions(+), 30 deletions(-)

[...]

diff --git a/tests/capable_file/test b/tests/capable_file/test
index 12322d320dd4..8d0acc9742af 100755
--- a/tests/capable_file/test
+++ b/tests/capable_file/test
@@ -3,11 +3,21 @@ 
 # This test performs capability tests for file operations.
 #
 
-use Test;
-BEGIN { plan tests => 10 }
+use Test::More;
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    if ( $isnfs eq "nfs" ) {
+        plan skip_all => "file capabilities not supported over NFS";
+    }
+    else {
+        plan tests => 10;
+    }
+}
 
 # Clean up from a previous run
 system "rm -f $basedir/temp_file 2>&1";
@@ -20,12 +30,12 @@  system "rm -f $basedir/temp_file2 2>&1";
 system "touch $basedir/temp_file 2>&1";
 $result =
   system "runcon -t test_fcap_t -- chown daemon $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_FOWNER
 system "chown daemon.tty $basedir/temp_file 2>&1";
 $result = system "runcon -t test_fcap_t -- chmod 0400 $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_FSETID
 $fn   = "$basedir/temp_file";
@@ -42,12 +52,12 @@  ok($result);
 # CAP_LEASE
 $result = system
   "runcon -t test_fcap_t --  $basedir/test_lease $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_MKNOD
 $result =
   system "runcon -t test_fcap_t -- mknod $basedir/temp_file2 c 5 5 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # Cleanup time.
 system "rm -f $basedir/temp_file 2>&1";
@@ -79,7 +89,7 @@  if ( $mode eq ( stat($fn) )[2] ) {
 }
 
 # prior mode should be same as current mode
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_LEASE - Needs DAC_OVERRIDE
 $result = system
diff --git a/tests/capable_sys/test b/tests/capable_sys/test
index 2d9edf450800..cd50ebcada1b 100755
--- a/tests/capable_sys/test
+++ b/tests/capable_sys/test
@@ -1,13 +1,23 @@ 
 #!/usr/bin/perl
 #
-# This test performs checks for network-related capabilties.
+# This test performs checks for system-related capabilties.
 #
 
 use Test;
-BEGIN { plan tests => 8 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    $test_count = 7;
+    if ( $isnfs ne "nfs" ) {
+        $test_count += 1;
+    }
+
+    plan tests => $test_count;
+}
 
 # Clean up from a previous run
 system "rm -f $basedir/temp_file 2>&1";
@@ -16,11 +26,15 @@  system "rm -f $basedir/temp_file 2>&1";
 # Tests for the good domain.
 #
 
-# CAP_SYS_RAWIO
-system "touch $basedir/temp_file 2>&1";
-$result =
-  system "runcon -t test_scap_t -- $basedir/test_rawio $basedir/temp_file 2>&1";
-ok( $result, 0 );
+if ( $isnfs ne "nfs" ) {
+
+    # CAP_SYS_RAWIO
+    system "touch $basedir/temp_file 2>&1";
+    $result =
+      system
+      "runcon -t test_scap_t -- $basedir/test_rawio $basedir/temp_file 2>&1";
+    ok( $result, 0 );
+}
 
 # CAP_SYS_CHROOT
 $result = system "runcon -t test_scap_t -- $basedir/test_chroot $basedir/ 2>&1";
diff --git a/tests/file/test b/tests/file/test
index 5e080fc6d4e9..465054802fc5 100755
--- a/tests/file/test
+++ b/tests/file/test
@@ -4,10 +4,20 @@ 
 #
 
 use Test;
-BEGIN { plan tests => 16 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    $test_count = 15;
+    if ( $isnfs ne "nfs" ) {
+        $test_count++;
+    }
+
+    plan tests => $test_count;
+}
 
 #
 # Clean up from a previous run
@@ -72,9 +82,11 @@  $result = system
 "runcon -t test_fileop_t -- $basedir/test_mprotect $basedir/temp_file $good_file_sid 2>&1";
 ok( $result, 0 );
 
-$result = system
+if ( $isnfs ne "nfs" ) {
+    $result = system
 "runcon -t test_fileop_t -- $basedir/test_lock $basedir/temp_file $good_file_sid 2>&1";
-ok( $result, 0 );
+    ok( $result, 0 );
+}
 
 $result = system
 "runcon -t test_fileop_t -- $basedir/test_rw $basedir/temp_file $good_file_sid 2>&1";
diff --git a/tests/mac_admin/test b/tests/mac_admin/test
index e8e0bbf8cf19..32161f391643 100755
--- a/tests/mac_admin/test
+++ b/tests/mac_admin/test
@@ -1,10 +1,15 @@ 
 #!/usr/bin/perl
 
 use Test;
-BEGIN { plan tests => 8 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    plan tests => 8;
+}
 
 # Verify that test_mac_admin_t can relabel a file to an undefined context.
 system("rm -f $basedir/test_file; touch $basedir/test_file");
@@ -36,7 +41,12 @@  ok( $result, 0 );    # we expect this to succeed.
 # Verify that test_mac_admin_t sees the undefined label value.
 $result = `runcon -t test_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`;
 chomp($result);
-ok( $result, "UNDEFINED" );
+if ( $isnfs ne "nfs" ) {
+    ok( $result, "UNDEFINED" );
+}
+else {
+    ok( $result, "unlabeled_t" );
+}
 
 # Verify that test_no_mac_admin_t sees the unlabeled context.
 $result = `runcon -t test_no_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`;
diff --git a/tests/overlay/test b/tests/overlay/test
index 33eb0d1c2178..72affdfaa7ff 100755
--- a/tests/overlay/test
+++ b/tests/overlay/test
@@ -2,10 +2,18 @@ 
 use Test::More;
 
 BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
     # check if kernel supports overlayfs and SELinux labeling
     if ( system("grep -q security_inode_copy_up /proc/kallsyms") ) {
         plan skip_all => "overlayfs not supported with SELinux in this kernel";
     }
+    elsif ( $isnfs eq "nfs" ) {
+        plan skip_all => "overlayfs upperdir not supported on NFS";
+    }
     else {
         plan tests => 119;
     }
@@ -695,9 +703,6 @@  sub test_93_1 {
     return;
 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
-
 cleanup();
 
 sub nocontext_test {

testsuite: enable running over labeled NFS

Commit Message

Comments

Patch