SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v3 1/2] testsuite: provide support for testing labeled NFS
@ 2020-01-30 20:22 Stephen Smalley
  2020-01-30 20:22 ` [PATCH v3 2/2] testsuite: add further nfs tests Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-01-30 20:22 UTC (permalink / raw)
  To: paul; +Cc: selinux, omosnace, richard_c_haines, Stephen Smalley

Provide instructions in the README.md file, the required kernel config
options in defconfig, and a nfs.sh script for running the testsuite
within a labeled NFS mount.  This depends on the previous change to
enable running over labeled NFS without failures.

This completes the first part of
https://github.com/SELinuxProject/selinux-testsuite/issues/32.

What remains unfinished is adding tests that context mounts are properly
honored, with and without security_label in exports, for NFS, and
default labeling of NFS when neither security_label nor context mounts
are used (i.e. genfscon default of nfs_t).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
the relocation.  As before, these patches depend on the previous one
("testsuite: enable running over labeled NFS") in order to allow the
testsuite to pass on NFS mounts.

 README.md    | 41 +++++++++++++++++++++++++++++++++++++++++
 defconfig    | 10 ++++++++++
 tools/nfs.sh | 13 +++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100755 tools/nfs.sh

diff --git a/README.md b/README.md
index 4352796edb2d..e02ae9ac6d6f 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,47 @@ the tests:
 	tests/infiniband_pkey/ibpkey_test.conf
 	tests/infiniband_endport/ibendport_test.conf
 
+#### NFS
+
+It is possible to run most of the tests within a labeled NFS mount in
+order to exercise the NFS security labeling functionality.  Certain
+tests have been excluded from such testing due to differences between
+NFS and local filesystems; these tests will be automatically skipped.
+
+You will need to install an additional package, the package below
+is for Fedora/RHEL but other Linux distributions should have a similar
+package:
+
+* nfs-utils _(for `nfsd', `exportfs', and other NFS-related programs)_
+
+On a modern Fedora system you can install this dependency with the
+following command:
+
+	# dnf install nfs-utils
+
+If your distribution does not use systemd as its init system, you will
+need to customize the nfs.sh script found in the tools directory to
+correctly start and stop the nfs server.  You may also choose to not
+start/stop the nfs-server as part of the script by removing those lines
+if you are already using NFS for other reasons.
+
+Before running the tests in a labeled NFS mount, first ensure that you
+can run them successfully on a local filesystem following the standard
+instructions further below.  Any failures that occur on a local
+filesystem should also typically be expected when running over NFS.
+
+To run the tests within a labeled NFS mount, you can run the
+nfs.sh script while in the selinux-testsuite directory:
+
+       # cd selinux-testsuite
+       # ./tools/nfs.sh
+
+The script will start the nfs-server, export the mount containing the
+testsuite directory with the security_label option to localhost, mount
+it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory,
+and run the testsuite there.  After completion, it will unmount and
+unexport the mount and then stop the nfs-server.
+
 ## Running the Tests
 
 Create a shell with the `unconfined_r` or `sysadm_r` role and the Linux
diff --git a/defconfig b/defconfig
index 7cb6a2ca7f71..8419e40b79dc 100644
--- a/defconfig
+++ b/defconfig
@@ -94,3 +94,13 @@ CONFIG_TRACEPOINTS=y
 CONFIG_BLK_DEV_LOOP=m
 CONFIG_BLK_DEV_LOOP_MIN_COUNT=0
 CONFIG_QFMT_V2=y
+
+# Test labeled NFS.
+# This is not required for SELinux operation itself.
+CONFIG_NFS_FS=m
+CONFIG_NFS_V4=m
+CONFIG_NFS_V4_2=y
+CONFIG_NFS_V4_SECURITY_LABEL=y
+CONFIG_NFSD=m
+CONFIG_NFSD_V4=y
+CONFIG_NFSD_V4_SECURITY_LABEL=y
diff --git a/tools/nfs.sh b/tools/nfs.sh
new file mode 100755
index 000000000000..31c66c377cae
--- /dev/null
+++ b/tools/nfs.sh
@@ -0,0 +1,13 @@
+#!/bin/sh -e
+MOUNT=`stat --print %m .`
+TESTDIR=`pwd`
+systemctl start nfs-server
+exportfs -orw,no_root_squash,security_label localhost:$MOUNT
+mkdir -p /mnt/selinux-testsuite
+mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
+pushd /mnt/selinux-testsuite
+make test
+popd
+umount /mnt/selinux-testsuite
+exportfs -u localhost:$MOUNT
+systemctl stop nfs-server
-- 
2.24.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v3 2/2] testsuite: add further nfs tests
  2020-01-30 20:22 [PATCH v3 1/2] testsuite: provide support for testing labeled NFS Stephen Smalley
@ 2020-01-30 20:22 ` Stephen Smalley
  2020-02-05 17:10   ` Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-01-30 20:22 UTC (permalink / raw)
  To: paul; +Cc: selinux, omosnace, richard_c_haines, Stephen Smalley

In addition to testing full NFS security labeling support,
make sure that context mounts continue to work independent
of whether the mount was exported with security_label, and
add a simple test of the default NFS file labeling.

With the previous changes, this completes addressing
https://github.com/SELinuxProject/selinux-testsuite/issues/32

Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
the relocation.  As before, these patches depend on the previous one
("testsuite: enable running over labeled NFS") in order to allow the
testsuite to pass on NFS mounts.

 README.md    |  5 ++++-
 tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e02ae9ac6d6f..64f80c8fd493 100644
--- a/README.md
+++ b/README.md
@@ -156,7 +156,10 @@ nfs.sh script while in the selinux-testsuite directory:
 The script will start the nfs-server, export the mount containing the
 testsuite directory with the security_label option to localhost, mount
 it via NFSv4.2 on /mnt/selinux-testsuite, switch to that directory,
-and run the testsuite there.  After completion, it will unmount and
+and run the testsuite there.  After running the testsuite, the script
+will also perform tests of context mounts with and without the
+security_label export option and will test default NFS file labeling
+in the absence of any options.  When finished, it will unmount and
 unexport the mount and then stop the nfs-server.
 
 ## Running the Tests
diff --git a/tools/nfs.sh b/tools/nfs.sh
index 31c66c377cae..314f898a6c02 100755
--- a/tools/nfs.sh
+++ b/tools/nfs.sh
@@ -2,6 +2,8 @@
 MOUNT=`stat --print %m .`
 TESTDIR=`pwd`
 systemctl start nfs-server
+
+# Run the full testsuite on a labeled NFS mount.
 exportfs -orw,no_root_squash,security_label localhost:$MOUNT
 mkdir -p /mnt/selinux-testsuite
 mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
@@ -9,5 +11,41 @@ pushd /mnt/selinux-testsuite
 make test
 popd
 umount /mnt/selinux-testsuite
+
+# Test context mounts when exported with security_label.
+mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing context mount of a security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite`
+if [ "$fctx" != "etc_t" ]; then
+    echo "Context mount failed: got $fctx instead of etc_t."
+    exit 1
+fi
+umount /mnt/selinux-testsuite
+exportfs -u localhost:$MOUNT
+
+# Test context mounts when not exported with security_label.
+exportfs -orw,no_root_squash localhost:$MOUNT
+mount -t nfs -o vers=4.2,context=system_u:object_r:etc_t:s0 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing context mount of a non-security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite`
+if [ "$fctx" != "etc_t" ]; then
+    echo "Context mount failed: got $fctx instead of etc_t."
+    exit 1
+fi
+umount /mnt/selinux-testsuite
+
+# Test non-context mount when not exported with security_label.
+mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite
+echo "Testing non-context mount of a non-security_label export."
+fctx=`secon -t -f /mnt/selinux-testsuite`
+if [ "$fctx" != "nfs_t" ]; then
+    echo "Context mount failed: got $fctx instead of nfs_t."
+    exit 1
+fi
+umount /mnt/selinux-testsuite
+
+# All done.
+echo "Done"
 exportfs -u localhost:$MOUNT
+rmdir /mnt/selinux-testsuite
 systemctl stop nfs-server
-- 
2.24.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 2/2] testsuite: add further nfs tests
  2020-01-30 20:22 ` [PATCH v3 2/2] testsuite: add further nfs tests Stephen Smalley
@ 2020-02-05 17:10   ` Stephen Smalley
  2020-02-06 16:36     ` Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-02-05 17:10 UTC (permalink / raw)
  To: paul; +Cc: selinux, omosnace, richard_c_haines

On 1/30/20 3:22 PM, Stephen Smalley wrote:
> In addition to testing full NFS security labeling support,
> make sure that context mounts continue to work independent
> of whether the mount was exported with security_label, and
> add a simple test of the default NFS file labeling.
> 
> With the previous changes, this completes addressing
> https://github.com/SELinuxProject/selinux-testsuite/issues/32
> 
> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
> the relocation.  As before, these patches depend on the previous one
> ("testsuite: enable running over labeled NFS") in order to allow the
> testsuite to pass on NFS mounts.
> 
>   README.md    |  5 ++++-
>   tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
>   2 files changed, 42 insertions(+), 1 deletion(-)

Both are now applied.

[...]



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 2/2] testsuite: add further nfs tests
  2020-02-05 17:10   ` Stephen Smalley
@ 2020-02-06 16:36     ` Stephen Smalley
  2020-02-13 22:12       ` Paul Moore
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-02-06 16:36 UTC (permalink / raw)
  To: paul; +Cc: selinux, omosnace, richard_c_haines

On 2/5/20 12:10 PM, Stephen Smalley wrote:
> On 1/30/20 3:22 PM, Stephen Smalley wrote:
>> In addition to testing full NFS security labeling support,
>> make sure that context mounts continue to work independent
>> of whether the mount was exported with security_label, and
>> add a simple test of the default NFS file labeling.
>>
>> With the previous changes, this completes addressing
>> https://github.com/SELinuxProject/selinux-testsuite/issues/32
>>
>> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>> v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
>> the relocation.  As before, these patches depend on the previous one
>> ("testsuite: enable running over labeled NFS") in order to allow the
>> testsuite to pass on NFS mounts.
>>
>>   README.md    |  5 ++++-
>>   tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
>>   2 files changed, 42 insertions(+), 1 deletion(-)
> 
> Both are now applied.
> 
> [...]

It would be good if we could get tools/nfs.sh running on kernels going 
forward in addition to regular runs of selinux-testsuite.

A few potential enhancements and improvements that could still be made 
in the area of NFS testing:

1) There isn't yet a test that trying to mount the same NFS filesystem 
with two different sets of context mount options (or one with and one 
without context mount options) is rejected as expected.

2) There was an earlier bug where mounting a security_label exported NFS 
filesystem twice could clear the native labeling flags and thereby 
disable NFS security labeling support; this was fixed by kernel commit 
3815a245b50124f0865415dcb606a034e97494d4.  Adding a test to confirm that 
this behavior doesn't recur might be useful.

3) There was an earlier bug where context mounts of security_label 
exported NFS filesystems yielded mixed behavior with the top-level mount 
and newly created files appearing with the context mount value but 
pre-existing files appearing with the underlying xattr value; this was 
fixed by 0b4d3452b8b4a5309b4445b900e3cec022cca95a.  My original version 
of nfs.sh actually would have caught this because it was testing the 
context of the nfs.sh script file itself within the context mount but I 
dropped it back to only checking the top-level mount directory when I 
moved tools/nfs.sh to avoid depending on a fixed location for it, so it 
won't be caught currently.  We should probably change it back to testing 
the context of a pre-existing file within the mount; any file will do.

4) Ensuring that all of the tests/filesystem and tests/fs_filesystem 
tests that make sense for NFS are being run on the NFS mount itself and 
not just on an ext4 mount created by the test script.

5) We could have nfs.sh set a variable checked by tests/Makefile to skip 
any tests that are completely irrelevant from a filesystem security 
labeling perspective to minimize noise and duplication with regular runs 
of selinux-testsuite.  In a certain sense, they all exercise filesystem 
security labeling in that they are depending on file labels but they 
aren't all testing that functionality per se.  Deciding exactly which 
ones to include/exclude may not be entirely obvious though.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 2/2] testsuite: add further nfs tests
  2020-02-06 16:36     ` Stephen Smalley
@ 2020-02-13 22:12       ` Paul Moore
  2020-02-14 13:17         ` Stephen Smalley
  0 siblings, 1 reply; 7+ messages in thread
From: Paul Moore @ 2020-02-13 22:12 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, omosnace, richard_c_haines

On Thu, Feb 6, 2020 at 11:36 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 2/5/20 12:10 PM, Stephen Smalley wrote:
> > On 1/30/20 3:22 PM, Stephen Smalley wrote:
> >> In addition to testing full NFS security labeling support,
> >> make sure that context mounts continue to work independent
> >> of whether the mount was exported with security_label, and
> >> add a simple test of the default NFS file labeling.
> >>
> >> With the previous changes, this completes addressing
> >> https://github.com/SELinuxProject/selinux-testsuite/issues/32
> >>
> >> Fixes: https://github.com/SELinuxProject/selinux-testsuite/issues/32
> >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >> ---
> >> v3 moves nfs.sh under tools/, updates README.md, and fixes nfs.sh for
> >> the relocation.  As before, these patches depend on the previous one
> >> ("testsuite: enable running over labeled NFS") in order to allow the
> >> testsuite to pass on NFS mounts.
> >>
> >>   README.md    |  5 ++++-
> >>   tools/nfs.sh | 38 ++++++++++++++++++++++++++++++++++++++
> >>   2 files changed, 42 insertions(+), 1 deletion(-)
> >
> > Both are now applied.
> >
> > [...]
>
> It would be good if we could get tools/nfs.sh running on kernels going
> forward in addition to regular runs of selinux-testsuite.

I've never tried this ... is it possible to mount a NFS mount over
loopback?  What about labeled NFS?

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 2/2] testsuite: add further nfs tests
  2020-02-13 22:12       ` Paul Moore
@ 2020-02-14 13:17         ` Stephen Smalley
  2020-02-20  1:33           ` Paul Moore
  0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2020-02-14 13:17 UTC (permalink / raw)
  To: Paul Moore; +Cc: selinux, omosnace, richard_c_haines

On 2/13/20 5:12 PM, Paul Moore wrote:
> On Thu, Feb 6, 2020 at 11:36 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> It would be good if we could get tools/nfs.sh running on kernels going
>> forward in addition to regular runs of selinux-testsuite.
> 
> I've never tried this ... is it possible to mount a NFS mount over
> loopback?  What about labeled NFS?

Yes to both.  That's how tools/nfs.sh works.  I added instructions to 
the README.md as part of the patch for dependencies and running it, but 
it isn't run by default.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v3 2/2] testsuite: add further nfs tests
  2020-02-14 13:17         ` Stephen Smalley
@ 2020-02-20  1:33           ` Paul Moore
  0 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2020-02-20  1:33 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, omosnace, richard_c_haines

On Fri, Feb 14, 2020 at 8:16 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 2/13/20 5:12 PM, Paul Moore wrote:
> > On Thu, Feb 6, 2020 at 11:36 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> It would be good if we could get tools/nfs.sh running on kernels going
> >> forward in addition to regular runs of selinux-testsuite.
> >
> > I've never tried this ... is it possible to mount a NFS mount over
> > loopback?  What about labeled NFS?
>
> Yes to both.  That's how tools/nfs.sh works.  I added instructions to
> the README.md as part of the patch for dependencies and running it, but
> it isn't run by default.

[Apologies to Stephen who is getting two copies of this, I forgot to
hit reply-all on my original response]

Thanks.  I'll look into adding that to my automated testing.

I also need to set something up to check to see what other subsystems
drop in security/selinux both in the linux-next tree as well as in
Linus' tree during the -rcX phase.  The keys patch is the latest
snafu, but there have been others.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-30 20:22 [PATCH v3 1/2] testsuite: provide support for testing labeled NFS Stephen Smalley
2020-01-30 20:22 ` [PATCH v3 2/2] testsuite: add further nfs tests Stephen Smalley
2020-02-05 17:10   ` Stephen Smalley
2020-02-06 16:36     ` Stephen Smalley
2020-02-13 22:12       ` Paul Moore
2020-02-14 13:17         ` Stephen Smalley
2020-02-20  1:33           ` Paul Moore

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git