From patchwork Thu Jan 30 20:22:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11358623 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F2290188B for ; Thu, 30 Jan 2020 20:27:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C565720708 for ; Thu, 30 Jan 2020 20:27:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=tycho.nsa.gov header.i=@tycho.nsa.gov header.b="hNH9FUzM" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727686AbgA3U1W (ORCPT ); Thu, 30 Jan 2020 15:27:22 -0500 Received: from UPDC19PA22.eemsg.mail.mil ([214.24.27.197]:29193 "EHLO UPDC19PA22.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726514AbgA3U1V (ORCPT ); Thu, 30 Jan 2020 15:27:21 -0500 X-EEMSG-check-017: 52191884|UPDC19PA22_ESA_OUT04.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.70,382,1574121600"; d="scan'208";a="52191884" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UPDC19PA22.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 30 Jan 2020 20:27:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.nsa.gov; i=@tycho.nsa.gov; q=dns/txt; s=tycho.nsa.gov; t=1580416038; x=1611952038; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=/S5kUAK1PB+/s1cHbNYY0dHWf6nh9gNEWRHS0e6gsxM=; b=hNH9FUzMPZlXKECxyTNCCHuzmzm2LsMtx8eWjR60i1cadPp0RkZTz1Cn YposTWnKht836QwRnGPtoPQpRw7y7VPIoKsvaUr+iGRHNxEbj4Lp7uGjq fK6l13SGj3JX/1rIZKgFB0XmAX6qwdUloeMbgDcVifXSbUcBlKP2oii4H 5oh4khMi39bS55UcXjn0OhyzMPSXb/W64Ml5ae9a/rFQBjctCavYmjl9O rQmHwXclMbA6DEIX58zf0jFbgI8wFt6zNDW7iSlvqbKCapKGW6fOr9qvg MEez1avBsd6ffZotuf8Nk0ejwfBugtIL8IPU7QY3cGNentSMqtXh4vtIp w==; X-IronPort-AV: E=Sophos;i="5.70,382,1574121600"; d="scan'208";a="38485158" IronPort-PHdr: 9a23:UxnXpBNkkMBgeiL74+Yl6mtUPXoX/o7sNwtQ0KIMzox0K/z5psbcNUDSrc9gkEXOFd2Cra4d16yN4+u5AjdIoc7Y9ixbK9oUD15NoP5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blItdaz6FYHIksu4yf259YHNbAVUnjq9Zq55IAmroQnLucQanIRvJrw/xxbKrXdEZupbyG11Ll6Xgxrw+9288ZF+/yleof4t69JMXaDndKkkULJUCygrPXoo78PxrxnDSgWP5noYUmoIlxdDHhbI4hLnUJrvqyX2ruVy1jWUMs3wVrA0RC+t77x3Rx/yiScILCA2/WfKgcFtlq1boRahpxtiw47IZYyeKfRzcr/Bcd4cWGFOUNxRVyhcCY2iaYUBAfcKMeJBo4Tzo1YCqB2zDhSuCuzy0D9Fnn/407Mn3eovEg/I2wMvEd0VvXjIr9j4LrseXPqpwKXUyzjIcvNY2S366IjNah0vvO2MUqxoccrR10YvER7OgEiVqYP/OzOV0voCsmiG5OdnTuKglnUnphptojmv2sgsio7JipgTylDf7yp12ok1JdqmSENiZ9OvDZVetyafN4RsQ8MiRXlluCk7yr0auZ67YTMFxI47yB7YbvyKdZWD7BH7VOuJPDt1i31odKi/ihqv60Ss1OLxWteu3FpXqCdOj8PCuWoX1xPJ78iKUv59/kC81jmRzw3T8eREIVwslarcNp4h3qY8lpoNvkTHGS/7gFn2g7WMdkUl5+io8P7rYrTgpp+SMI90kR/xPbg0lsyjAeU3LggOX2+B9eS6yLLj5lH2TK9Pjv03lqnVqJHaJcIFqa6lGwJZz4ku5hmlAzqmzdgUh2cLIV1bdB6dkoTlI1TOL+r5Dfe7jVSsijBrx/XeM736H5rNNWPOkKvhfLlh605czxA/zdZE551OEL0BL/XzWlHpuNzCEhA5KxC0w/rgCNhlzIMeWH6AAq+DP6PIrFCH/v4gLPGMZIAPuTb9LeYq5+X1gHAihV8dfK+p3YcJZ3CiGPRpPVmZbWDwjdcGFGcAphA+Q/DyiF2eTT5TYG6/X6U55jE8E4KmC53MSZyzj7Gaxie0AIBZZmBcBVCQC3vna4KEW/IUYiKIPsBhiiAEVaSmS4I5zhGhqgv6y7thLurJ9SwVrozj1Ndr6O3Jjx0y9iJ7D96b026TS2F4hGQIRyU53Kpnu0xy1k+D0bRkg/xfDdFT/+lGUho+NZPH1+x1Ec3yWgbYcteMT1amRc+mDi8rQt0txN8OZhU1J9L3lhne2wKyCqIR0rmMA4Y5tKnb2ivfPcF4nk3a2bEhgl9uec5GMWmrl+Yr7ATIL5LYmEWe0aCxfOIT2zCbpzTL9naHoEwNCF04aq7CR31KIxCHoA== X-IPAS-Result: A2A6AABnOzNe/wHyM5BlHAEBAQEBBwEBEQEEBAEBgWgGAQELAYF8gRhVIBIqjReGVQEBAQMGiyaPToF7CQEBAQEBAQEBARsQDAEBhECCVDUIDgIQAQEBBAEBAQEBBQMBAWyFNwyCOymDMwFGgVGCZz8BglYlD68IiHuBPoE4AYdBhHh5gQeBETaDG4JLGQKBTYYEBJd9l2CCQ4JMhHeFRYkmDBuDQJdCl0SULAE2gVgrCAIYCCEPgycJRxgNkhCECIJJhCAjAzCOUgEB Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 30 Jan 2020 20:27:15 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.infosec.tycho.ncsc.mil (8.14.7/8.14.4) with ESMTP id 00UKQRD9226332; Thu, 30 Jan 2020 15:26:29 -0500 From: Stephen Smalley To: paul@paul-moore.com Cc: selinux@vger.kernel.org, omosnace@redhat.com, richard_c_haines@btinternet.com, Stephen Smalley Subject: [PATCH v3 1/2] testsuite: provide support for testing labeled NFS Date: Thu, 30 Jan 2020 15:22:38 -0500 Message-Id: <20200130202239.11498-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Provide instructions in the README.md file, the required kernel config options in defconfig, and a nfs.sh script for running the testsuite within a labeled NFS mount. This depends on the previous change to enable running over labeled NFS without failures. This completes the first part of https://github.com/SELinuxProject/selinux-testsuite/issues/32. What remains unfinished is adding tests that context mounts are properly honored, with and without security_label in exports, for NFS, and default labeling of NFS when neither security_label nor context mounts are used (i.e. genfscon default of nfs_t). Signed-off-by: Stephen Smalley --- v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for the relocation. As before, these patches depend on the previous one ("testsuite: enable running over labeled NFS") in order to allow the testsuite to pass on NFS mounts. README.md | 41 +++++++++++++++++++++++++++++++++++++++++ defconfig | 10 ++++++++++ tools/nfs.sh | 13 +++++++++++++ 3 files changed, 64 insertions(+) create mode 100755 tools/nfs.sh diff --git a/README.md b/README.md index 4352796edb2d..e02ae9ac6d6f 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,47 @@ the tests: tests/infiniband_pkey/ibpkey_test.conf tests/infiniband_endport/ibendport_test.conf +#### NFS + +It is possible to run most of the tests within a labeled NFS mount in +order to exercise the NFS security labeling functionality. Certain +tests have been excluded from such testing due to differences between +NFS and local filesystems; these tests will be automatically skipped. + +You will need to install an additional package, the package below +is for Fedora/RHEL but other Linux distributions should have a similar +package: + +* nfs-utils _(for `nfsd', `exportfs', and other NFS-related programs)_ + +On a modern Fedora system you can install this dependency with the +following command: + + # dnf install nfs-utils + +If your distribution does not use systemd as its init system, you will +need to customize the nfs.sh script found in the tools directory to +correctly start and stop the nfs server. You may also choose to not +start/stop the nfs-server as part of the script by removing those lines +if you are already using NFS for other reasons. + +Before running the tests in a labeled NFS mount, first ensure that you +can run them successfully on a local filesystem following the standard +instructions further below. Any failures that occur on a local +filesystem should also typically be expected when running over NFS. + +To run the tests within a labeled NFS mount, you can run the +nfs.sh script while in the selinux-testsuite directory: + + # cd selinux-testsuite + # ./tools/nfs.sh + +The script will start the nfs-server, export the mount containing the +testsuite directory with the security_label option to localhost, mount +it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory, +and run the testsuite there. After completion, it will unmount and +unexport the mount and then stop the nfs-server. + ## Running the Tests Create a shell with the `unconfined_r` or `sysadm_r` role and the Linux diff --git a/defconfig b/defconfig index 7cb6a2ca7f71..8419e40b79dc 100644 --- a/defconfig +++ b/defconfig @@ -94,3 +94,13 @@ CONFIG_TRACEPOINTS=y CONFIG_BLK_DEV_LOOP=m CONFIG_BLK_DEV_LOOP_MIN_COUNT=0 CONFIG_QFMT_V2=y + +# Test labeled NFS. +# This is not required for SELinux operation itself. +CONFIG_NFS_FS=m +CONFIG_NFS_V4=m +CONFIG_NFS_V4_2=y +CONFIG_NFS_V4_SECURITY_LABEL=y +CONFIG_NFSD=m +CONFIG_NFSD_V4=y +CONFIG_NFSD_V4_SECURITY_LABEL=y diff --git a/tools/nfs.sh b/tools/nfs.sh new file mode 100755 index 000000000000..31c66c377cae --- /dev/null +++ b/tools/nfs.sh @@ -0,0 +1,13 @@ +#!/bin/sh -e +MOUNT=`stat --print %m .` +TESTDIR=`pwd` +systemctl start nfs-server +exportfs -orw,no_root_squash,security_label localhost:$MOUNT +mkdir -p /mnt/selinux-testsuite +mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite +pushd /mnt/selinux-testsuite +make test +popd +umount /mnt/selinux-testsuite +exportfs -u localhost:$MOUNT +systemctl stop nfs-server From patchwork Thu Jan 30 20:22:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11358625 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2009114B4 for ; Thu, 30 Jan 2020 20:27:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E95A72083E for ; Thu, 30 Jan 2020 20:27:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=tycho.nsa.gov header.i=@tycho.nsa.gov header.b="XvOV/dMh" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727142AbgA3U1e (ORCPT ); Thu, 30 Jan 2020 15:27:34 -0500 Received: from UPDC19PA21.eemsg.mail.mil ([214.24.27.196]:59440 "EHLO UPDC19PA21.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726514AbgA3U1e (ORCPT ); Thu, 30 Jan 2020 15:27:34 -0500 X-EEMSG-check-017: 52337645|UPDC19PA21_ESA_OUT03.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.70,382,1574121600"; d="scan'208";a="52337645" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UPDC19PA21.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 30 Jan 2020 20:27:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.nsa.gov; i=@tycho.nsa.gov; q=dns/txt; s=tycho.nsa.gov; t=1580416038; x=1611952038; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=gRKXMpzuN/viEqPU6R74PED5gPEXDvsEnzU8Ut94v2M=; b=XvOV/dMhbJBqtP+rvMPWY51nPhFRP6s+6HiyvBbCr/2OvEwyjQOrzOUc ulpyvIimqC2jbYwAmQRS26o1qIPA3MNpjT/clqqLBpxTozSAwIN0DVdTV gp8LXMFpDnh7EMs2oHPpGokYy+yBGk2mv1h+BX5poU/gjqZKkyiN4e9Uo PeRoCsXTWMxNd0VDjbkff2Xeo3ZfFX95Ufjn7p57t5e0WvYvln2lYLJBq MVm/TuigGk9CKEBYk7mImXDk7GoLgpfX2IQsd3iLvUHHZxIlvjvJlovDm NKGPl4qEUx+pIbJ1UuJFITiCeoJaIXrTdTBeZpZrKZLi9e5LunKb/LUsm g==; X-IronPort-AV: E=Sophos;i="5.70,382,1574121600"; d="scan'208";a="38485160" IronPort-PHdr: 9a23:V/x/+xNJ0opWei8vXjAl6mtUPXoX/o7sNwtQ0KIMzox0K/z5osbcNUDSrc9gkEXOFd2Cra4d16yN4+u5AjdIoc7Y9ixbK9oUD15NoP5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blItdaz6FYHIksu4yf259YHNbAVUnjq9Zq55IAmroQnLucQanIRvJrw/xxbKrXdEZupbyG11Ll6Xgxrw+9288ZF+/yleof4t69JMXaDndKkkULJUCygrPXoo78PxrxnDSgWP5noYUmoIlxdDHhbI4hLnUJrvqyX2ruVy1jWUMs3wVrA0RC+t77x3Rx/yiScILCA2/WfKgcFtlq1boRahpxtiw47IZYyeKfRzcr/Bcd4cWGFOUNxRVyhcCY2iaYUBAfcKMeJBo4Tzo1YCqB2zDhSuCuzy0D9Fnn/407Mn3eovEg/I2w4vH9wBv3rbt9j5KKQfXPqpwKTS0TnPc/Vb0ir95ojSdRAhpOmBU69sccXP0UkvFx3KjlONooL4OjOazOANs2yF4OtgSOmijHUnpBxqojW02sctipXGhoISylze8yV525w6Kce3SE58f96pCZ1dvDyUOYtxR8MtWWBouCAix70JuJ67YCgKyIk8yBLFd/OHdI2I7xT+X+iSOTd1nG9pdb2wihqo8UWs1/fwWte73VpUtCZJj9/BvW0X2RPJ8MiIUP5981+k2TaIyg/c9PlJIVsxlarHM54hxaMwloYLvUTDACD2nEL2gbeKdko+4Oio6vnnYq78qp+dMY90hAb+Mr8wlcOjG+g4LggPUHSb+eS7zrHj+1H2QK5WgfEsl6nZsZTaKdwapq6/HQBVzp4u5wuwAjqpytgVnWQLIEhbdB+IkYTlIUzCLOj9DfilglSslDlrx+rBPr3kGpjNNWXMkKz6cLZh609T1AozzddF65JSEbEOOuj/WkD2tNzGFhM5KRC7w/77CNVh0YMTQXiPAq6FP6PSq1CI/P8gLPGQa4ANuDbyMfkl5/jwgn8iglISZrWp3ZoRaHCkAPtmOUOZbmTwgtsbDWgKuQ8+RvTwiFKeST5Te2qyX6Uk6zE8DYKmCpzDRoa3j7Odwii2BYdWaX5bBVCMC3joa5+IVOsLaCKXOsVhiCALVaC9S4890hGjrBT6xKRjLurV/C0YqJ3i2cNr5+3cix4y7yZ4D8eD3GGXSWF7gGcISyUx3KBlrkx30k2D3rRgg/xECdxT4OtEUh8gOp7By+x3EMjyVRjcfteNUVqmR9KmATYrTt0v2dMBf0F9G9DxxizEijKjHrs9j7WWANkx9aXG0j76IMMu5WzB0fwak1Q+QsZJfVajj6p7+hmbU5XFiG2Fhq2qcuIaxyeL+2Cdmznd9HpEWRJ9BP2WFUsUYVHb+JGit04= X-IPAS-Result: A2AmAABnOzNe/wHyM5BlHAEBAQEBBwEBEQEEBAEBgWcHAQELAYF8gRhVIBIqjDdghlUBAQEDBosmj06BewkBAQEBAQEBAQEbEAwBAYRAAoJSNAkOAhABAQEEAQEBAQEFAwEBbIU3DII7KYJ7BjIBRhBRVxmCZz8BglYlD68IiHuBPoE4AYdBhHh5gQeBR4MbgksZAoEsIYYEBI1Tiip6lmaCQ4JMhHeFRYkmDBuDQJdCl0SUKjmBWCsIAhgIIQ+DJwlHGA2SEIQIgkmEICMDMIwPgkMBAQ Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 30 Jan 2020 20:27:17 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.infosec.tycho.ncsc.mil (8.14.7/8.14.4) with ESMTP id 00UKQRDA226332; Thu, 30 Jan 2020 15:26:31 -0500 From: Stephen Smalley To: paul@paul-moore.com Cc: selinux@vger.kernel.org, omosnace@redhat.com, richard_c_haines@btinternet.com, Stephen Smalley Subject: [PATCH v3 2/2] testsuite: add further nfs tests Date: Thu, 30 Jan 2020 15:22:39 -0500 Message-Id: <20200130202239.11498-2-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200130202239.11498-1-sds@tycho.nsa.gov> References: <20200130202239.11498-1-sds@tycho.nsa.gov> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org In addition to testing full NFS security labeling support, make sure that context mounts continue to work independent of whether the mount was exported with security_label, and add a simple test of the default NFS file labeling. With the previous changes, this completes addressing https://github.com/SELinuxProject/selinux-testsuite/issues/32 Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32 Signed-off-by: Stephen Smalley --- v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for the relocation. As before, these patches depend on the previous one ("testsuite: enable running over labeled NFS") in order to allow the testsuite to pass on NFS mounts. README.md | 5 ++++- tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e02ae9ac6d6f..64f80c8fd493 100644 --- a/README.md +++ b/README.md @@ -156,7 +156,10 @@ nfs.sh script while in the selinux-testsuite directory: The script will start the nfs-server, export the mount containing the testsuite directory with the security_label option to localhost, mount it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory, -and run the testsuite there. After completion, it will unmount and +and run the testsuite there. After running the testsuite, the script +will also perform tests of context mounts with and without the +security_label export option and will test default NFS file labeling +in the absence of any options. When finished, it will unmount and unexport the mount and then stop the nfs-server. ## Running the Tests diff --git a/tools/nfs.sh b/tools/nfs.sh index 31c66c377cae..314f898a6c02 100755 --- a/tools/nfs.sh +++ b/tools/nfs.sh @@ -2,6 +2,8 @@ MOUNT=`stat --print %m .` TESTDIR=`pwd` systemctl start nfs-server + +# Run the full testsuite on a labeled NFS mount. exportfs -orw,no_root_squash,security_label localhost:$MOUNT mkdir -p /mnt/selinux-testsuite mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite @@ -9,5 +11,41 @@ pushd /mnt/selinux-testsuite make test popd umount /mnt/selinux-testsuite + +# Test context mounts when exported with security_label. +mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite +echo "Testing context mount of a security_label export." +fctx=`secon -t -f /mnt/selinux-testsuite` +if [ "$fctx" != "etc_t" ]; then + echo "Context mount failed: got $fctx instead of etc_t." + exit 1 +fi +umount /mnt/selinux-testsuite +exportfs -u localhost:$MOUNT + +# Test context mounts when not exported with security_label. +exportfs -orw,no_root_squash localhost:$MOUNT +mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite +echo "Testing context mount of a non-security_label export." +fctx=`secon -t -f /mnt/selinux-testsuite` +if [ "$fctx" != "etc_t" ]; then + echo "Context mount failed: got $fctx instead of etc_t." + exit 1 +fi +umount /mnt/selinux-testsuite + +# Test non-context mount when not exported with security_label. +mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite +echo "Testing non-context mount of a non-security_label export." +fctx=`secon -t -f /mnt/selinux-testsuite` +if [ "$fctx" != "nfs_t" ]; then + echo "Context mount failed: got $fctx instead of nfs_t." + exit 1 +fi +umount /mnt/selinux-testsuite + +# All done. +echo "Done" exportfs -u localhost:$MOUNT +rmdir /mnt/selinux-testsuite systemctl stop nfs-server