From: Stephen Smalley <sds@tycho.nsa.gov>
To: paul@paul-moore.com
Cc: selinux@vger.kernel.org, omosnace@redhat.com,
richard_c_haines@btinternet.com,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH] testsuite: enable running over labeled NFS
Date: Wed, 29 Jan 2020 15:29:22 -0500 [thread overview]
Message-ID: <20200129202922.88027-1-sds@tycho.nsa.gov> (raw)
Certain tests cannot succeed on nfs and therefore should
be skipped in that case. This allows the testsuite to
be run on a labeled NFS mount as described below without
triggering any (additional) failures relative to running
on a local filesystem like ext4.
The tests that are skipped or modified and the corresponding rationale is:
file: 1 test skipped - flock not supported over NFS
capable_file: all tests skipped - file capabilities not supported over NFS
capable_sys: 1 test skipped - CAP_SYS_RAWIO not supported over NFS
overlay: all tests skipped - NFS not supported as an upperdir
mac_admin: one test modified - undefined contexts not exported over NFS
This partly addresses
https://github.com/SELinuxProject/selinux-testsuite/issues/32.
Test sequence for labeled NFS is:
$ cat nfs.sh
MOUNT=/home # must be a top-level mount
TESTDIR=$MOUNT/path/to/selinux-testsuite
systemctl start nfs-server
exportfs -orw,no_root_squash,security_label localhost:$MOUNT
mkdir -p /mnt/selinux-testsuite
mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
pushd /mnt/selinux-testsuite
make test
popd
umount /mnt/selinux-testsuite
exportfs -u localhost:$MOUNT
systemctl stop nfs-server
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
tests/capable_file/test | 28 +++++++++++++++++++---------
tests/capable_sys/test | 32 +++++++++++++++++++++++---------
tests/file/test | 22 +++++++++++++++++-----
tests/mac_admin/test | 18 ++++++++++++++----
tests/overlay/test | 11 ++++++++---
5 files changed, 81 insertions(+), 30 deletions(-)
diff --git a/tests/capable_file/test b/tests/capable_file/test
index 12322d320dd4..8d0acc9742af 100755
--- a/tests/capable_file/test
+++ b/tests/capable_file/test
@@ -3,11 +3,21 @@
# This test performs capability tests for file operations.
#
-use Test;
-BEGIN { plan tests => 10 }
+use Test::More;
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $isnfs = `stat -f --print %T $basedir`;
+
+ if ( $isnfs eq "nfs" ) {
+ plan skip_all => "file capabilities not supported over NFS";
+ }
+ else {
+ plan tests => 10;
+ }
+}
# Clean up from a previous run
system "rm -f $basedir/temp_file 2>&1";
@@ -20,12 +30,12 @@ system "rm -f $basedir/temp_file2 2>&1";
system "touch $basedir/temp_file 2>&1";
$result =
system "runcon -t test_fcap_t -- chown daemon $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
# CAP_FOWNER
system "chown daemon.tty $basedir/temp_file 2>&1";
$result = system "runcon -t test_fcap_t -- chmod 0400 $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
# CAP_FSETID
$fn = "$basedir/temp_file";
@@ -42,12 +52,12 @@ ok($result);
# CAP_LEASE
$result = system
"runcon -t test_fcap_t -- $basedir/test_lease $basedir/temp_file 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
# CAP_MKNOD
$result =
system "runcon -t test_fcap_t -- mknod $basedir/temp_file2 c 5 5 2>&1";
-ok( $result, 0 );
+ok( $result eq 0 );
# Cleanup time.
system "rm -f $basedir/temp_file 2>&1";
@@ -79,7 +89,7 @@ if ( $mode eq ( stat($fn) )[2] ) {
}
# prior mode should be same as current mode
-ok( $result, 0 );
+ok( $result eq 0 );
# CAP_LEASE - Needs DAC_OVERRIDE
$result = system
diff --git a/tests/capable_sys/test b/tests/capable_sys/test
index 2d9edf450800..cd50ebcada1b 100755
--- a/tests/capable_sys/test
+++ b/tests/capable_sys/test
@@ -1,13 +1,23 @@
#!/usr/bin/perl
#
-# This test performs checks for network-related capabilties.
+# This test performs checks for system-related capabilties.
#
use Test;
-BEGIN { plan tests => 8 }
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $isnfs = `stat -f --print %T $basedir`;
+
+ $test_count = 7;
+ if ( $isnfs ne "nfs" ) {
+ $test_count += 1;
+ }
+
+ plan tests => $test_count;
+}
# Clean up from a previous run
system "rm -f $basedir/temp_file 2>&1";
@@ -16,11 +26,15 @@ system "rm -f $basedir/temp_file 2>&1";
# Tests for the good domain.
#
-# CAP_SYS_RAWIO
-system "touch $basedir/temp_file 2>&1";
-$result =
- system "runcon -t test_scap_t -- $basedir/test_rawio $basedir/temp_file 2>&1";
-ok( $result, 0 );
+if ( $isnfs ne "nfs" ) {
+
+ # CAP_SYS_RAWIO
+ system "touch $basedir/temp_file 2>&1";
+ $result =
+ system
+ "runcon -t test_scap_t -- $basedir/test_rawio $basedir/temp_file 2>&1";
+ ok( $result, 0 );
+}
# CAP_SYS_CHROOT
$result = system "runcon -t test_scap_t -- $basedir/test_chroot $basedir/ 2>&1";
diff --git a/tests/file/test b/tests/file/test
index 5e080fc6d4e9..465054802fc5 100755
--- a/tests/file/test
+++ b/tests/file/test
@@ -4,10 +4,20 @@
#
use Test;
-BEGIN { plan tests => 16 }
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $isnfs = `stat -f --print %T $basedir`;
+
+ $test_count = 15;
+ if ( $isnfs ne "nfs" ) {
+ $test_count++;
+ }
+
+ plan tests => $test_count;
+}
#
# Clean up from a previous run
@@ -72,9 +82,11 @@ $result = system
"runcon -t test_fileop_t -- $basedir/test_mprotect $basedir/temp_file $good_file_sid 2>&1";
ok( $result, 0 );
-$result = system
+if ( $isnfs ne "nfs" ) {
+ $result = system
"runcon -t test_fileop_t -- $basedir/test_lock $basedir/temp_file $good_file_sid 2>&1";
-ok( $result, 0 );
+ ok( $result, 0 );
+}
$result = system
"runcon -t test_fileop_t -- $basedir/test_rw $basedir/temp_file $good_file_sid 2>&1";
diff --git a/tests/mac_admin/test b/tests/mac_admin/test
index e8e0bbf8cf19..32161f391643 100755
--- a/tests/mac_admin/test
+++ b/tests/mac_admin/test
@@ -1,10 +1,15 @@
#!/usr/bin/perl
use Test;
-BEGIN { plan tests => 8 }
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $isnfs = `stat -f --print %T $basedir`;
+
+ plan tests => 8;
+}
# Verify that test_mac_admin_t can relabel a file to an undefined context.
system("rm -f $basedir/test_file; touch $basedir/test_file");
@@ -36,7 +41,12 @@ ok( $result, 0 ); # we expect this to succeed.
# Verify that test_mac_admin_t sees the undefined label value.
$result = `runcon -t test_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`;
chomp($result);
-ok( $result, "UNDEFINED" );
+if ( $isnfs ne "nfs" ) {
+ ok( $result, "UNDEFINED" );
+}
+else {
+ ok( $result, "unlabeled_t" );
+}
# Verify that test_no_mac_admin_t sees the unlabeled context.
$result = `runcon -t test_no_mac_admin_t -- secon -t -f $basedir/test_dir 2>&1`;
diff --git a/tests/overlay/test b/tests/overlay/test
index 33eb0d1c2178..72affdfaa7ff 100755
--- a/tests/overlay/test
+++ b/tests/overlay/test
@@ -2,10 +2,18 @@
use Test::More;
BEGIN {
+ $basedir = $0;
+ $basedir =~ s|(.*)/[^/]*|$1|;
+
+ $isnfs = `stat -f --print %T $basedir`;
+
# check if kernel supports overlayfs and SELinux labeling
if ( system("grep -q security_inode_copy_up /proc/kallsyms") ) {
plan skip_all => "overlayfs not supported with SELinux in this kernel";
}
+ elsif ( $isnfs eq "nfs" ) {
+ plan skip_all => "overlayfs upperdir not supported on NFS";
+ }
else {
plan tests => 119;
}
@@ -695,9 +703,6 @@ sub test_93_1 {
return;
}
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
-
cleanup();
sub nocontext_test {
--
2.24.1
next reply other threads:[~2020-01-29 20:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-29 20:29 Stephen Smalley [this message]
2020-02-05 17:09 ` [PATCH] testsuite: enable running over labeled NFS Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200129202922.88027-1-sds@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).