From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Moore <paul@paul-moore.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH testsuite] selinux-testsuite: Add submount test
Date: Wed, 9 Oct 2019 09:53:16 -0400 [thread overview]
Message-ID: <ddea594c-717b-cb40-6bd7-7bb6c8cae79d@tycho.nsa.gov> (raw)
In-Reply-To: <CAHC9VhTVNgqOgRjgk37x0EyZQWBbrYJ1FND5hVMxZUJ5JcofPA@mail.gmail.com>
On 10/8/19 5:30 PM, Paul Moore wrote:
> On Mon, Sep 30, 2019 at 10:07 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 9/30/19 9:16 AM, Ondrej Mosnacek wrote:
>>> Add a test that verifies that SELinux permissions are not checked when
>>> mounting submounts. The test sets up a simple local NFS export on a
>>> directory which has another filesystem mounted on its subdirectory.
>>> Since the export is set up with the crossmnt option enabled, any client
>>> mount will try to transparently mount any subdirectory that has a
>>> filesystem mounted on it on the server, triggering an internal mount.
>>> The test tries to access the automounted part of this export via a
>>> client mount without having a permission to mount filesystems, expecting
>>> it to succeed.
>>>
>>> The original bug this test is checking for has been fixed in kernel
>>> commit 892620bb3454 ("selinux: always allow mounting submounts"), which
>>> has been backported to 4.9+ stable kernels.
>>>
>>> The test first checks whether it is able to export and mount directories
>>> via NFS and skips the actual tests if e.g. NFS daemon is not running.
>>> This means that the testsuite can still be run without having the NFS
>>> server installed and running.
>>
>> 1) We have to manually start nfs-server in order for the test to run;
>> else it will be skipped automatically. Do we want to start/stop the
>> nfs-server as part of the test script?
>
> My two cents are that I'm not sure we want to automatically start/stop
> the NFS server with the usual "make test", perhaps we have a dedicated
> NFS test target that does the setup-test-shutdown? Other ideas are
> welcome.
I guess my concern is that anything that doesn't run with the default
make test probably won't get run at all with any regularity. For
something that requires specialized hardware (e.g. InfiniBand), this is
reasonable but that isn't true of NFS. For the more analogous cases of
e.g. labeled IPSEC, NetLabel, SECMARK, we already load and unload
network configurations for the testsuite during testing.
next prev parent reply other threads:[~2019-10-09 13:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-30 13:16 [PATCH testsuite] selinux-testsuite: Add submount test Ondrej Mosnacek
2019-09-30 14:07 ` Stephen Smalley
2019-10-08 21:30 ` Paul Moore
2019-10-09 13:53 ` Stephen Smalley [this message]
2019-10-09 14:01 ` Paul Moore
2019-10-09 14:53 ` Ondrej Mosnacek
2019-10-09 22:49 ` Paul Moore
2019-10-14 11:47 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ddea594c-717b-cb40-6bd7-7bb6c8cae79d@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).