[PATCH xfstests] _qmount: mount w/o selinux xattrs

[PATCH xfstests] _qmount: mount w/o selinux xattrs

[Eric Sandeen]

when selinux is on it can change quota usage due to extra
xattr blocks.

Mounting with a context prevents this.  We already do so
for xfs in general because so many things look at detailed
on-disk format, and extra xattrs confuses those tests.

For other filesystems, we've left selinux alone so far, 
as that seemed the best way to test.

However, it throws quota accounting off, so add a fixup
in _qmount()

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

diff --git a/common.quota b/common.quota
index d32e285..87a766c 100644
--- a/common.quota
+++ b/common.quota
@@ -131,8 +131,17 @@ _choose_prid()
 
 _qmount()
 {
+    # SELinux adds extra xattrs which can mess up our expected usage.
+    # So, mount with a context, and they won't be created
+    # nfs_t is a "liberal" context so we can use it.
+    # Only set it if we didn't inherit SELINUX_MOUNT_OPTIONS for
+    # all mounts anyway.
+    if [ -z "$SELINUX_MOUNT_OPTIONS" -a -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
+        QUOTA_SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
+    fi
+
     umount $SCRATCH_DEV >/dev/null 2>&1
-    _scratch_mount || _fail "qmount failed"
+    _scratch_mount $QUOTA_SELINUX_MOUNT_OPTIONS || _fail "qmount failed"
     chmod ugo+rwx $SCRATCH_MNT
 }
 

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH xfstests] _qmount: mount w/o selinux xattrs

[Christoph Hellwig]

On Thu, Jul 01, 2010 at 02:58:07PM -0500, Eric Sandeen wrote:
> when selinux is on it can change quota usage due to extra
> xattr blocks.
> 
> Mounting with a context prevents this.  We already do so
> for xfs in general because so many things look at detailed
> on-disk format, and extra xattrs confuses those tests.
> 
> For other filesystems, we've left selinux alone so far, 
> as that seemed the best way to test.
> 
> However, it throws quota accounting off, so add a fixup
> in _qmount()

What about just disabling selinux for all filesystems instead of just
XFS for the general case.

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH xfstests] _qmount: mount w/o selinux xattrs

[Eric Sandeen]

On 07/02/2010 02:10 AM, Christoph Hellwig wrote:
> On Thu, Jul 01, 2010 at 02:58:07PM -0500, Eric Sandeen wrote:
>> when selinux is on it can change quota usage due to extra
>> xattr blocks.
>>
>> Mounting with a context prevents this.  We already do so
>> for xfs in general because so many things look at detailed
>> on-disk format, and extra xattrs confuses those tests.
>>
>> For other filesystems, we've left selinux alone so far, 
>> as that seemed the best way to test.
>>
>> However, it throws quota accounting off, so add a fixup
>> in _qmount()
> 
> What about just disabling selinux for all filesystems instead of just
> XFS for the general case.

Well it seems like if we -can- test with it on, that's good.
Certain distros ship with it on by default, so exercising lots
of scenarios with it on seems beneficial...

-Eric

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH xfstests] _qmount: mount w/o selinux xattrs

[Christoph Hellwig]

On Fri, Jul 02, 2010 at 12:48:55PM -0500, Eric Sandeen wrote:
> > What about just disabling selinux for all filesystems instead of just
> > XFS for the general case.
> 
> Well it seems like if we -can- test with it on, that's good.
> Certain distros ship with it on by default, so exercising lots
> of scenarios with it on seems beneficial...

It seems, but I'd rather do it consistently for all filesystems.

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH xfstests] _qmount: mount w/o selinux xattrs

[Eric Sandeen]

On 07/09/2010 11:12 AM, Christoph Hellwig wrote:
> On Fri, Jul 02, 2010 at 12:48:55PM -0500, Eric Sandeen wrote:
>>> What about just disabling selinux for all filesystems instead of just
>>> XFS for the general case.
>>
>> Well it seems like if we -can- test with it on, that's good.
>> Certain distros ship with it on by default, so exercising lots
>> of scenarios with it on seems beneficial...
> 
> It seems, but I'd rather do it consistently for all filesystems.
> 

except we can't, because xfs actually has such low-level format checking
that selinux -will- break it badly.

I guess we could flag which tests can't run w/ extra xattrs,
and only mount w/ the context for those?

-Eric

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH xfstests] _qmount: mount w/o selinux xattrs

[Dave Chinner]

On Mon, Jul 12, 2010 at 02:29:14PM -0500, Eric Sandeen wrote:
> On 07/09/2010 11:12 AM, Christoph Hellwig wrote
> > On Fri, Jul 02, 2010 at 12:48:55PM -0500, Eric Sandeen wrote:
> >>> What about just disabling selinux for all filesystems instead of just
> >>> XFS for the general case.
> >>
> >> Well it seems like if we -can- test with it on, that's good.
> >> Certain distros ship with it on by default, so exercising lots
> >> of scenarios with it on seems beneficial...
> > 
> > It seems, but I'd rather do it consistently for all filesystems.
> > 
> 
> except we can't, because xfs actually has such low-level format checking
> that selinux -will- break it badly.
> 
> I guess we could flag which tests can't run w/ extra xattrs,
> and only mount w/ the context for those?

Maybe use a group to define all the tests that can't run with
selinux enabled and check it before running each test? i.e. use
notrun to prevent such tests from running. The attr group isprobably
a good start for the tests that will break w/ selinux enabled....

Cheers.

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH xfstests] _qmount: mount w/o selinux xattrs

[Eric Sandeen]

On 07/12/2010 05:13 PM, Dave Chinner wrote:
> On Mon, Jul 12, 2010 at 02:29:14PM -0500, Eric Sandeen wrote:
>> On 07/09/2010 11:12 AM, Christoph Hellwig wrote
>>> On Fri, Jul 02, 2010 at 12:48:55PM -0500, Eric Sandeen wrote:
>>>>> What about just disabling selinux for all filesystems instead of just
>>>>> XFS for the general case.
>>>>
>>>> Well it seems like if we -can- test with it on, that's good.
>>>> Certain distros ship with it on by default, so exercising lots
>>>> of scenarios with it on seems beneficial...
>>>
>>> It seems, but I'd rather do it consistently for all filesystems.
>>>
>>
>> except we can't, because xfs actually has such low-level format checking
>> that selinux -will- break it badly.
>>
>> I guess we could flag which tests can't run w/ extra xattrs,
>> and only mount w/ the context for those?
> 
> Maybe use a group to define all the tests that can't run with
> selinux enabled and check it before running each test? i.e. use
> notrun to prevent such tests from running. The attr group isprobably
> a good start for the tests that will break w/ selinux enabled....

Something like that ... but there are more tests than just the attr
group, I'm afraid.

I'd have to re-run to see which break, guess I'll put that on the list.

-Eric

> Cheers.
> 
> Dave.

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs