[PATCH] testsuite: add further nfs tests

[PATCH] testsuite: add further nfs tests

[Stephen Smalley]

In addition to testing full NFS security labeling support,
make sure that context mounts continue to work independent
of whether the mount was exported with security_label, and
add a simple test of the default NFS file labeling.

With the previous changes, this completes addressing
https://github.com/SELinuxProject/selinux-testsuite/issues/32

Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/nfs.sh b/nfs.sh
index 31c66c377cae..a82c4069d76d 100755
--- a/nfs.sh
+++ b/nfs.sh
@@ -2,6 +2,8 @@
 MOUNT=`stat --print %m .`
 TESTDIR=`pwd`
 systemctl start nfs-server
+
+# Run the full testsuite on a labeled NFS mount.
 exportfs -orw,no_root_squash,security_label localhost:$MOUNT
 mkdir -p /mnt/selinux-testsuite
 mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
@@ -9,5 +11,41 @@ pushd /mnt/selinux-testsuite
 make test
 popd
 umount /mnt/selinux-testsuite
+
+# Test context mounts when exported with security_label.
+mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing context mount of a security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite/nfs.sh`
+if [ "$fctx" != "etc_t" ]; then
+    echo "Context mount failed: got $fctx instead of etc_t."
+    exit 1
+fi
+umount /mnt/selinux-testsuite
+exportfs -u localhost:$MOUNT
+
+# Test context mounts when not exported with security_label.
+exportfs -orw,no_root_squash localhost:$MOUNT
+mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing context mount of a non-security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite/nfs.sh`
+if [ "$fctx" != "etc_t" ]; then
+    echo "Context mount failed: got $fctx instead of etc_t."
+    exit 1
+fi
+umount /mnt/selinux-testsuite
+
+# Test non-context mount when not exported with security_label.
+mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing non-context mount of a non-security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite/nfs.sh`
+if [ "$fctx" != "nfs_t" ]; then
+    echo "Context mount failed: got $fctx instead of nfs_t."
+    exit 1
+fi
+umount /mnt/selinux-testsuite
+
+# All done.
+echo "Done"
 exportfs -u localhost:$MOUNT
+rmdir /mnt/selinux-testsuite
 systemctl stop nfs-server
-- 
2.24.1

Re: [PATCH] testsuite: add further nfs tests

[Paul Moore]

On Thu, Jan 30, 2020 at 2:26 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> In addition to testing full NFS security labeling support,
> make sure that context mounts continue to work independent
> of whether the mount was exported with security_label, and
> add a simple test of the default NFS file labeling.
>
> With the previous changes, this completes addressing
> https://github.com/SELinuxProject/selinux-testsuite/issues/32
>
> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
>  1 file changed, 38 insertions(+)

Perhaps this belongs under tools/ and not the root of the test suite?

-- 
paul moore
www.paul-moore.com