Closed WOnder93 closed 4 years ago
WOnder93
commented
5 years ago Since the export is set up with hte crossmnt option enabled, any client
s/hte/the/
The tries to access the automounted part of this export via a client
The test tries...
Sorry, I clearly should have had my coffee before submitting this, not after :) I will fix the typos tomorrow.
WOnder93
commented
5 years ago Typos fixed.
stephensmalley
commented
5 years ago Not sure if this is still relevant, but this test fails for me on stock F30, 5.2.14-200. `` submount/test ............... ls: cannot access '/home/sds/selinux-testsuite/tests/submount/nfs_import': Permission denied submount/test ............... 1/?
cat: /home/sds/selinux-testsuite/tests/submount/nfs_import/submount/file: Permission denied
submount/test ............... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/2 subtests ``
WOnder93
commented
5 years ago Fixed issues:
stephensmalley
commented
5 years ago Still appears to fail for me with 5.2.14-200.fc30.x86_64
`submount/test ............... ls: cannot access '/home/sds/selinux-testsuite/tests/submount/nfs_import': Permission denied submount/test ............... 1/2
cat: /home/sds/selinux-testsuite/tests/submount/nfs_import/submount/file: Permission denied
submount/test ............... Dubious, test returned 2 (wstat 512, 0x200) Failed 2/2 subtests
type=PROCTITLE msg=audit(09/19/2019 15:11:10.901:9063) : proctitle=ls /home/sds/selinux-testsuite/tests/submount/nfs_import type=PATH msg=audit(09/19/2019 15:11:10.901:9063) : item=0 name=/home/sds/selinux-testsuite/tests/submount/nfs_import nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/19/2019 15:11:10.901:9063) : cwd=/home/sds/selinux-testsuite/tests type=SYSCALL msg=audit(09/19/2019 15:11:10.901:9063) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fffd0d5d44b a1=0x55ada9803548 a2=0x55ada9803548 a3=0x0 items=1 ppid=14347 pid=14348 auid=sds uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=8 comm=ls exe=/usr/bin/ls subj=unconfined_u:unconfined_r:test_readnfs_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(09/19/2019 15:11:10.901:9063) : avc: denied { search } for pid=14348 comm=ls name=sds dev="dm-2" ino=17039361 scontext=unconfined_u:unconfined_r:test_readnfs_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
`
WOnder93
commented
5 years ago Right, test_readnfs_t needed permission to search the parent directories so that it can ls the path. Hopefully this version will work now.
WOnder93
commented
5 years ago (Commit message updated - the kernel patch has already been merged.)
stephensmalley
commented
4 years ago Please send as a patch to selinux list, thanks.
Add a test that verifies that SELinux permissions are not checked when mounting submounts. The test sets up a simple local NFS export on a directory which has another filesystem mounted on its subdirectory. Since the export is set up with the crossmnt option enabled, any client mount will try to transparently mount any subdirectory that has a filesystem mounted on it on the server, triggering an internal mount. The test tries to access the automounted part of this export via a client mount without having a permission to mount filesystems, expecting it to succeed.
At the time of writing, this test fails on all upstream kernels. To pass, it requires the following kernel patch to be applied:
https://lore.kernel.org/selinux/20181116131202.26513-1-omosnace@redhat.com/T/
The test first checks whether it is able to export and mount directories via NFS and skips the actual tests if e.g. NFS daemon is not running. This means that the testsuite can still be run without having the NFS server installed and running.
Signed-off-by: Ondrej Mosnacek omosnace@redhat.com