Re: [PATCH testsuite] selinux-testsuite: Add submount test

From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH testsuite] selinux-testsuite: Add submount test
Date: Wed, 9 Oct 2019 10:01:04 -0400	[thread overview]
Message-ID: <CAHC9VhRmX0ofWA7Yqg73XfDW0Hhf2j6Yr7pi1pQ=bDBiARd5sg@mail.gmail.com> (raw)
In-Reply-To: <ddea594c-717b-cb40-6bd7-7bb6c8cae79d@tycho.nsa.gov>

On Wed, Oct 9, 2019 at 9:53 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/8/19 5:30 PM, Paul Moore wrote:
> > On Mon, Sep 30, 2019 at 10:07 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> On 9/30/19 9:16 AM, Ondrej Mosnacek wrote:
> >>> Add a test that verifies that SELinux permissions are not checked when
> >>> mounting submounts. The test sets up a simple local NFS export on a
> >>> directory which has another filesystem mounted on its subdirectory.
> >>> Since the export is set up with the crossmnt option enabled, any client
> >>> mount will try to transparently mount any subdirectory that has a
> >>> filesystem mounted on it on the server, triggering an internal mount.
> >>> The test tries to access the automounted part of this export via a
> >>> client mount without having a permission to mount filesystems, expecting
> >>> it to succeed.
> >>>
> >>> The original bug this test is checking for has been fixed in kernel
> >>> commit 892620bb3454 ("selinux: always allow mounting submounts"), which
> >>> has been backported to 4.9+ stable kernels.
> >>>
> >>> The test first checks whether it is able to export and mount directories
> >>> via NFS and skips the actual tests if e.g. NFS daemon is not running.
> >>> This means that the testsuite can still be run without having the NFS
> >>> server installed and running.
> >>
> >> 1) We have to manually start nfs-server in order for the test to run;
> >> else it will be skipped automatically.  Do we want to start/stop the
> >> nfs-server as part of the test script?
> >
> > My two cents are that I'm not sure we want to automatically start/stop
> > the NFS server with the usual "make test", perhaps we have a dedicated
> > NFS test target that does the setup-test-shutdown?  Other ideas are
> > welcome.
>
> I guess my concern is that anything that doesn't run with the default
> make test probably won't get run at all with any regularity.

FWIW, I think I'm the only one regularly running the tests on upstream
kernels and reporting the results.  RH was running the tests at one
point, and may still be doing so, but I have no idea what kernels they
are testing (maybe just RHEL, stable Fedora, etc.) and what their
process is when they find failures.

I also try to enable everything that I can enable for my test runs.
Thanks to Mellanox I can even run the IB tests.

> For
> something that requires specialized hardware (e.g. InfiniBand), this is
> reasonable but that isn't true of NFS.  For the more analogous cases of
> e.g. labeled IPSEC, NetLabel, SECMARK, we already load and unload
> network configurations for the testsuite during testing.

That's a good point about the other networking tests.  My gut feeling
tells me that NFS should be "different", but I guess I can't really
justify that statement in an objectively meaningful way.

-- 
paul moore
www.paul-moore.com