[PATCH] testsuite: enable running over labeled NFS

From: Stephen Smalley <sds@tycho.nsa.gov>
To: paul@paul-moore.com
Cc: selinux@vger.kernel.org, omosnace@redhat.com,
	richard_c_haines@btinternet.com,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH] testsuite: enable running over labeled NFS
Date: Wed, 29 Jan 2020 15:29:22 -0500	[thread overview]
Message-ID: <20200129202922.88027-1-sds@tycho.nsa.gov> (raw)

Certain tests cannot succeed on nfs and therefore should
be skipped in that case.  This allows the testsuite to
be run on a labeled NFS mount as described below without
triggering any (additional) failures relative to running
on a local filesystem like ext4.

The tests that are skipped or modified and the corresponding rationale is:
file: 1 test skipped - flock not supported over NFS
capable_file: all tests skipped - file capabilities not supported over NFS
capable_sys: 1 test skipped - CAP_SYS_RAWIO not supported over NFS
overlay: all tests skipped - NFS not supported as an upperdir
mac_admin: one test modified - undefined contexts not exported over NFS

This partly addresses
https://github.com/SELinuxProject/selinux-testsuite/issues/32.

Test sequence for labeled NFS is:
$ cat nfs.sh
MOUNT=/home # must be a top-level mount
TESTDIR=$MOUNT/path/to/selinux-testsuite
systemctl start nfs-server
exportfs -orw,no_root_squash,security_label localhost:$MOUNT
mkdir -p /mnt/selinux-testsuite
mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
pushd /mnt/selinux-testsuite
make test
popd
umount /mnt/selinux-testsuite
exportfs -u localhost:$MOUNT
systemctl stop nfs-server

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 tests/capable_file/test | 28 +++++++++++++++++++---------
 tests/capable_sys/test  | 32 +++++++++++++++++++++++---------
 tests/file/test         | 22 +++++++++++++++++-----
 tests/mac_admin/test    | 18 ++++++++++++++----
 tests/overlay/test      | 11 ++++++++---
 5 files changed, 81 insertions(+), 30 deletions(-)

diff --git a/tests/capable_file/test b/tests/capable_file/test
index 12322d320dd4..8d0acc9742af 100755
--- a/tests/capable_file/test
+++ b/tests/capable_file/test
@@ -3,11 +3,21 @@
 # This test performs capability tests for file operations.
 #
 
-use Test;
-BEGIN { plan tests => 10 }
+use Test::More;
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    if ( $isnfs eq "nfs" ) {
+        plan skip_all => "file capabilities not supported over NFS";
+    }
+    else {
+        plan tests => 10;
+    }
+}
 
 # Clean up from a previous run
 system "rm -f $basedir/temp_file 2>&1";
@@ -20,12 +30,12 @@ system "rm -f $basedir/temp_file2 2>&1";
 system "touch $basedir/temp_file 2>&1";
 $result =
   system "runcon -t test_fcap_t -- chown daemon $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_FOWNER
 system "chown daemon.tty $basedir/temp_file 2>&1";
 $result = system "runcon -t test_fcap_t -- chmod 0400 $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_FSETID
 $fn   = "$basedir/temp_file";
@@ -42,12 +52,12 @@ ok($result);
 # CAP_LEASE
 $result = system
   "runcon -t test_fcap_t --  $basedir/test_lease $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_MKNOD
 $result =
   system "runcon -t test_fcap_t -- mknod $basedir/temp_file2 c 5 5 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # Cleanup time.
 system "rm -f $basedir/temp_file 2>&1";
@@ -79,7 +89,7 @@ if ( $mode eq ( stat($fn) )[2] ) {
 }
 
 # prior mode should be same as current mode
-ok( $result, 0 );
+ok( $result eq 0 );
 
 # CAP_LEASE - Needs DAC_OVERRIDE
 $result = system
diff --git a/tests/capable_sys/test b/tests/capable_sys/test
index 2d9edf450800..cd50ebcada1b 100755
--- a/tests/capable_sys/test
+++ b/tests/capable_sys/test
@@ -1,13 +1,23 @@
 #!/usr/bin/perl
 #
-# This test performs checks for network-related capabilties.
+# This test performs checks for system-related capabilties.
 #
 
 use Test;
-BEGIN { plan tests => 8 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    $test_count = 7;
+    if ( $isnfs ne "nfs" ) {
+        $test_count += 1;
+    }
+
+    plan tests => $test_count;
+}
 
 # Clean up from a previous run
 system "rm -f $basedir/temp_file 2>&1";
@@ -16,11 +26,15 @@ system "rm -f $basedir/temp_file 2>&1";
 # Tests for the good domain.
 #
 
-# CAP_SYS_RAWIO
-system "touch $basedir/temp_file 2>&1";
-$result =
-  system "runcon -t test_scap_t -- $basedir/test_rawio $basedir/temp_file 2>&1";
-ok( $result, 0 );
+if ( $isnfs ne "nfs" ) {
+
+    # CAP_SYS_RAWIO
+    system "touch $basedir/temp_file 2>&1";
+    $result =
+      system
+      "runcon -t test_scap_t -- $basedir/test_rawio $basedir/temp_file 2>&1";
+    ok( $result, 0 );
+}
 
 # CAP_SYS_CHROOT
 $result = system "runcon -t test_scap_t -- $basedir/test_chroot $basedir/ 2>&1";
diff --git a/tests/file/test b/tests/file/test
index 5e080fc6d4e9..465054802fc5 100755
--- a/tests/file/test
+++ b/tests/file/test
@@ -4,10 +4,20 @@
 #
 
 use Test;
-BEGIN { plan tests => 16 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    $test_count = 15;
+    if ( $isnfs ne "nfs" ) {
+        $test_count++;
+    }
+
+    plan tests => $test_count;
+}
 
 #
 # Clean up from a previous run
@@ -72,9 +82,11 @@ $result = system
 "runcon -t test_fileop_t -- $basedir/test_mprotect $basedir/temp_file $good_file_sid 2>&1";
 ok( $result, 0 );
 
-$result = system
+if ( $isnfs ne "nfs" ) {
+    $result = system
 "runcon -t test_fileop_t -- $basedir/test_lock $basedir/temp_file $good_file_sid 2>&1";
-ok( $result, 0 );
+    ok( $result, 0 );
+}
 
 $result = system
 "runcon -t test_fileop_t -- $basedir/test_rw $basedir/temp_file $good_file_sid 2>&1";
diff --git a/tests/mac_admin/test b/tests/mac_admin/test
index e8e0bbf8cf19..32161f391643 100755
--- a/tests/mac_admin/test
+++ b/tests/mac_admin/test
@@ -1,10 +1,15 @@
 #!/usr/bin/perl
 
 use Test;
-BEGIN { plan tests => 8 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
+    plan tests => 8;
+}
 
 # Verify that test_mac_admin_t can relabel a file to an undefined context.
 system("rm -f $basedir/test_file; touch $basedir/test_file");
@@ -36,7 +41,12 @@ ok( $result, 0 );    # we expect this to succeed.
 # Verify that test_mac_admin_t sees the undefined label value.
 $result = `runcon -t test_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`;
 chomp($result);
-ok( $result, "UNDEFINED" );
+if ( $isnfs ne "nfs" ) {
+    ok( $result, "UNDEFINED" );
+}
+else {
+    ok( $result, "unlabeled_t" );
+}
 
 # Verify that test_no_mac_admin_t sees the unlabeled context.
 $result = `runcon -t test_no_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`;
diff --git a/tests/overlay/test b/tests/overlay/test
index 33eb0d1c2178..72affdfaa7ff 100755
--- a/tests/overlay/test
+++ b/tests/overlay/test
@@ -2,10 +2,18 @@
 use Test::More;
 
 BEGIN {
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $isnfs = `stat -f --print %T $basedir`;
+
     # check if kernel supports overlayfs and SELinux labeling
     if ( system("grep -q security_inode_copy_up /proc/kallsyms") ) {
         plan skip_all => "overlayfs not supported with SELinux in this kernel";
     }
+    elsif ( $isnfs eq "nfs" ) {
+        plan skip_all => "overlayfs upperdir not supported on NFS";
+    }
     else {
         plan tests => 119;
     }
@@ -695,9 +703,6 @@ sub test_93_1 {
     return;
 }
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
-
 cleanup();
 
 sub nocontext_test {
-- 
2.24.1

