* [PATCH v3 1/2] testsuite: provide support for testing labeled NFS
@ 2020-01-30 20:22 Stephen Smalley
2020-01-30 20:22 ` [PATCH v3 2/2] testsuite: add further nfs tests Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-01-30 20:22 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, richard_c_haines, Stephen Smalley
Provide instructions in the README.md file, the required kernel config
options in defconfig, and a nfs.sh script for running the testsuite
within a labeled NFS mount. This depends on the previous change to
enable running over labeled NFS without failures.
This completes the first part of
https://github.com/SELinuxProject/selinux-testsuite/issues/32.
What remains unfinished is adding tests that context mounts are properly
honored, with and without security_label in exports, for NFS, and
default labeling of NFS when neither security_label nor context mounts
are used (i.e. genfscon default of nfs_t).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
the relocation. As before, these patches depend on the previous one
("testsuite: enable running over labeled NFS") in order to allow the
testsuite to pass on NFS mounts.
README.md | 41 +++++++++++++++++++++++++++++++++++++++++
defconfig | 10 ++++++++++
tools/nfs.sh | 13 +++++++++++++
3 files changed, 64 insertions(+)
create mode 100755 tools/nfs.sh
diff --git a/README.md b/README.md
index 4352796edb2d..e02ae9ac6d6f 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,47 @@ the tests:
tests/infiniband_pkey/ibpkey_test.conf
tests/infiniband_endport/ibendport_test.conf
+#### NFS
+
+It is possible to run most of the tests within a labeled NFS mount in
+order to exercise the NFS security labeling functionality. Certain
+tests have been excluded from such testing due to differences between
+NFS and local filesystems; these tests will be automatically skipped.
+
+You will need to install an additional package, the package below
+is for Fedora/RHEL but other Linux distributions should have a similar
+package:
+
+* nfs-utils _(for `nfsd', `exportfs', and other NFS-related programs)_
+
+On a modern Fedora system you can install this dependency with the
+following command:
+
+ # dnf install nfs-utils
+
+If your distribution does not use systemd as its init system, you will
+need to customize the nfs.sh script found in the tools directory to
+correctly start and stop the nfs server. You may also choose to not
+start/stop the nfs-server as part of the script by removing those lines
+if you are already using NFS for other reasons.
+
+Before running the tests in a labeled NFS mount, first ensure that you
+can run them successfully on a local filesystem following the standard
+instructions further below. Any failures that occur on a local
+filesystem should also typically be expected when running over NFS.
+
+To run the tests within a labeled NFS mount, you can run the
+nfs.sh script while in the selinux-testsuite directory:
+
+ # cd selinux-testsuite
+ # ./tools/nfs.sh
+
+The script will start the nfs-server, export the mount containing the
+testsuite directory with the security_label option to localhost, mount
+it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory,
+and run the testsuite there. After completion, it will unmount and
+unexport the mount and then stop the nfs-server.
+
## Running the Tests
Create a shell with the `unconfined_r` or `sysadm_r` role and the Linux
diff --git a/defconfig b/defconfig
index 7cb6a2ca7f71..8419e40b79dc 100644
--- a/defconfig
+++ b/defconfig
@@ -94,3 +94,13 @@ CONFIG_TRACEPOINTS=y
CONFIG_BLK_DEV_LOOP=m
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0
CONFIG_QFMT_V2=y
+
+# Test labeled NFS.
+# This is not required for SELinux operation itself.
+CONFIG_NFS_FS=m
+CONFIG_NFS_V4=m
+CONFIG_NFS_V4_2=y
+CONFIG_NFS_V4_SECURITY_LABEL=y
+CONFIG_NFSD=m
+CONFIG_NFSD_V4=y
+CONFIG_NFSD_V4_SECURITY_LABEL=y
diff --git a/tools/nfs.sh b/tools/nfs.sh
new file mode 100755
index 000000000000..31c66c377cae
--- /dev/null
+++ b/tools/nfs.sh
@@ -0,0 +1,13 @@
+#!/bin/sh -e
+MOUNT=`stat --print %m .`
+TESTDIR=`pwd`
+systemctl start nfs-server
+exportfs -orw,no_root_squash,security_label localhost:$MOUNT
+mkdir -p /mnt/selinux-testsuite
+mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
+pushd /mnt/selinux-testsuite
+make test
+popd
+umount /mnt/selinux-testsuite
+exportfs -u localhost:$MOUNT
+systemctl stop nfs-server
--
2.24.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v3 2/2] testsuite: add further nfs tests
2020-01-30 20:22 [PATCH v3 1/2] testsuite: provide support for testing labeled NFS Stephen Smalley
@ 2020-01-30 20:22 ` Stephen Smalley
2020-02-05 17:10 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-01-30 20:22 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, richard_c_haines, Stephen Smalley
In addition to testing full NFS security labeling support,
make sure that context mounts continue to work independent
of whether the mount was exported with security_label, and
add a simple test of the default NFS file labeling.
With the previous changes, this completes addressing
https://github.com/SELinuxProject/selinux-testsuite/issues/32
Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
the relocation. As before, these patches depend on the previous one
("testsuite: enable running over labeled NFS") in order to allow the
testsuite to pass on NFS mounts.
README.md | 5 ++++-
tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index e02ae9ac6d6f..64f80c8fd493 100644
--- a/README.md
+++ b/README.md
@@ -156,7 +156,10 @@ nfs.sh script while in the selinux-testsuite directory:
The script will start the nfs-server, export the mount containing the
testsuite directory with the security_label option to localhost, mount
it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory,
-and run the testsuite there. After completion, it will unmount and
+and run the testsuite there. After running the testsuite, the script
+will also perform tests of context mounts with and without the
+security_label export option and will test default NFS file labeling
+in the absence of any options. When finished, it will unmount and
unexport the mount and then stop the nfs-server.
## Running the Tests
diff --git a/tools/nfs.sh b/tools/nfs.sh
index 31c66c377cae..314f898a6c02 100755
--- a/tools/nfs.sh
+++ b/tools/nfs.sh
@@ -2,6 +2,8 @@
MOUNT=`stat --print %m .`
TESTDIR=`pwd`
systemctl start nfs-server
+
+# Run the full testsuite on a labeled NFS mount.
exportfs -orw,no_root_squash,security_label localhost:$MOUNT
mkdir -p /mnt/selinux-testsuite
mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
@@ -9,5 +11,41 @@ pushd /mnt/selinux-testsuite
make test
popd
umount /mnt/selinux-testsuite
+
+# Test context mounts when exported with security_label.
+mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing context mount of a security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite`
+if [ "$fctx" != "etc_t" ]; then
+ echo "Context mount failed: got $fctx instead of etc_t."
+ exit 1
+fi
+umount /mnt/selinux-testsuite
+exportfs -u localhost:$MOUNT
+
+# Test context mounts when not exported with security_label.
+exportfs -orw,no_root_squash localhost:$MOUNT
+mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing context mount of a non-security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite`
+if [ "$fctx" != "etc_t" ]; then
+ echo "Context mount failed: got $fctx instead of etc_t."
+ exit 1
+fi
+umount /mnt/selinux-testsuite
+
+# Test non-context mount when not exported with security_label.
+mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing non-context mount of a non-security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite`
+if [ "$fctx" != "nfs_t" ]; then
+ echo "Context mount failed: got $fctx instead of nfs_t."
+ exit 1
+fi
+umount /mnt/selinux-testsuite
+
+# All done.
+echo "Done"
exportfs -u localhost:$MOUNT
+rmdir /mnt/selinux-testsuite
systemctl stop nfs-server
--
2.24.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] testsuite: add further nfs tests
2020-01-30 20:22 ` [PATCH v3 2/2] testsuite: add further nfs tests Stephen Smalley
@ 2020-02-05 17:10 ` Stephen Smalley
2020-02-06 16:36 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-02-05 17:10 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, richard_c_haines
On 1/30/20 3:22 PM, Stephen Smalley wrote:
> In addition to testing full NFS security labeling support,
> make sure that context mounts continue to work independent
> of whether the mount was exported with security_label, and
> add a simple test of the default NFS file labeling.
>
> With the previous changes, this completes addressing
> https://github.com/SELinuxProject/selinux-testsuite/issues/32
>
> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
> the relocation. As before, these patches depend on the previous one
> ("testsuite: enable running over labeled NFS") in order to allow the
> testsuite to pass on NFS mounts.
>
> README.md | 5 ++++-
> tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
> 2 files changed, 42 insertions(+), 1 deletion(-)
Both are now applied.
[...]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] testsuite: add further nfs tests
2020-02-05 17:10 ` Stephen Smalley
@ 2020-02-06 16:36 ` Stephen Smalley
2020-02-13 22:12 ` Paul Moore
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-02-06 16:36 UTC (permalink / raw)
To: paul; +Cc: selinux, omosnace, richard_c_haines
On 2/5/20 12:10 PM, Stephen Smalley wrote:
> On 1/30/20 3:22 PM, Stephen Smalley wrote:
>> In addition to testing full NFS security labeling support,
>> make sure that context mounts continue to work independent
>> of whether the mount was exported with security_label, and
>> add a simple test of the default NFS file labeling.
>>
>> With the previous changes, this completes addressing
>> https://github.com/SELinuxProject/selinux-testsuite/issues/32
>>
>> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>> v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
>> the relocation. As before, these patches depend on the previous one
>> ("testsuite: enable running over labeled NFS") in order to allow the
>> testsuite to pass on NFS mounts.
>>
>> README.md | 5 ++++-
>> tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
>> 2 files changed, 42 insertions(+), 1 deletion(-)
>
> Both are now applied.
>
> [...]
It would be good if we could get tools/nfs.sh running on kernels going
forward in addition to regular runs of selinux-testsuite.
A few potential enhancements and improvements that could still be made
in the area of NFS testing:
1) There isn't yet a test that trying to mount the same NFS filesystem
with two different sets of context mount options (or one with and one
without context mount options) is rejected as expected.
2) There was an earlier bug where mounting a security_label exported NFS
filesystem twice could clear the native labeling flags and thereby
disable NFS security labeling support; this was fixed by kernel commit
3815a245b50124f0865415dcb606a034e97494d4. Adding a test to confirm that
this behavior doesn't recur might be useful.
3) There was an earlier bug where context mounts of security_label
exported NFS filesystems yielded mixed behavior with the top-level mount
and newly created files appearing with the context mount value but
pre-existing files appearing with the underlying xattr value; this was
fixed by 0b4d3452b8b4a5309b4445b900e3cec022cca95a. My original version
of nfs.sh actually would have caught this because it was testing the
context of the nfs.sh script file itself within the context mount but I
dropped it back to only checking the top-level mount directory when I
moved tools/nfs.sh to avoid depending on a fixed location for it, so it
won't be caught currently. We should probably change it back to testing
the context of a pre-existing file within the mount; any file will do.
4) Ensuring that all of the tests/filesystem and tests/fs_filesystem
tests that make sense for NFS are being run on the NFS mount itself and
not just on an ext4 mount created by the test script.
5) We could have nfs.sh set a variable checked by tests/Makefile to skip
any tests that are completely irrelevant from a filesystem security
labeling perspective to minimize noise and duplication with regular runs
of selinux-testsuite. In a certain sense, they all exercise filesystem
security labeling in that they are depending on file labels but they
aren't all testing that functionality per se. Deciding exactly which
ones to include/exclude may not be entirely obvious though.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] testsuite: add further nfs tests
2020-02-06 16:36 ` Stephen Smalley
@ 2020-02-13 22:12 ` Paul Moore
2020-02-14 13:17 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2020-02-13 22:12 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, omosnace, richard_c_haines
On Thu, Feb 6, 2020 at 11:36 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 2/5/20 12:10 PM, Stephen Smalley wrote:
> > On 1/30/20 3:22 PM, Stephen Smalley wrote:
> >> In addition to testing full NFS security labeling support,
> >> make sure that context mounts continue to work independent
> >> of whether the mount was exported with security_label, and
> >> add a simple test of the default NFS file labeling.
> >>
> >> With the previous changes, this completes addressing
> >> https://github.com/SELinuxProject/selinux-testsuite/issues/32
> >>
> >> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
> >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >> ---
> >> v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
> >> the relocation. As before, these patches depend on the previous one
> >> ("testsuite: enable running over labeled NFS") in order to allow the
> >> testsuite to pass on NFS mounts.
> >>
> >> README.md | 5 ++++-
> >> tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
> >> 2 files changed, 42 insertions(+), 1 deletion(-)
> >
> > Both are now applied.
> >
> > [...]
>
> It would be good if we could get tools/nfs.sh running on kernels going
> forward in addition to regular runs of selinux-testsuite.
I've never tried this ... is it possible to mount a NFS mount over
loopback? What about labeled NFS?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] testsuite: add further nfs tests
2020-02-13 22:12 ` Paul Moore
@ 2020-02-14 13:17 ` Stephen Smalley
2020-02-20 1:33 ` Paul Moore
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-02-14 13:17 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux, omosnace, richard_c_haines
On 2/13/20 5:12 PM, Paul Moore wrote:
> On Thu, Feb 6, 2020 at 11:36 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> It would be good if we could get tools/nfs.sh running on kernels going
>> forward in addition to regular runs of selinux-testsuite.
>
> I've never tried this ... is it possible to mount a NFS mount over
> loopback? What about labeled NFS?
Yes to both. That's how tools/nfs.sh works. I added instructions to
the README.md as part of the patch for dependencies and running it, but
it isn't run by default.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 2/2] testsuite: add further nfs tests
2020-02-14 13:17 ` Stephen Smalley
@ 2020-02-20 1:33 ` Paul Moore
0 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2020-02-20 1:33 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, omosnace, richard_c_haines
On Fri, Feb 14, 2020 at 8:16 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 2/13/20 5:12 PM, Paul Moore wrote:
> > On Thu, Feb 6, 2020 at 11:36 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> It would be good if we could get tools/nfs.sh running on kernels going
> >> forward in addition to regular runs of selinux-testsuite.
> >
> > I've never tried this ... is it possible to mount a NFS mount over
> > loopback? What about labeled NFS?
>
> Yes to both. That's how tools/nfs.sh works. I added instructions to
> the README.md as part of the patch for dependencies and running it, but
> it isn't run by default.
[Apologies to Stephen who is getting two copies of this, I forgot to
hit reply-all on my original response]
Thanks. I'll look into adding that to my automated testing.
I also need to set something up to check to see what other subsystems
drop in security/selinux both in the linux-next tree as well as in
Linus' tree during the -rcX phase. The keys patch is the latest
snafu, but there have been others.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-02-20 1:33 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-30 20:22 [PATCH v3 1/2] testsuite: provide support for testing labeled NFS Stephen Smalley
2020-01-30 20:22 ` [PATCH v3 2/2] testsuite: add further nfs tests Stephen Smalley
2020-02-05 17:10 ` Stephen Smalley
2020-02-06 16:36 ` Stephen Smalley
2020-02-13 22:12 ` Paul Moore
2020-02-14 13:17 ` Stephen Smalley
2020-02-20 1:33 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).