Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp831661ybv; Wed, 19 Feb 2020 10:07:52 -0800 (PST) X-Google-Smtp-Source: APXvYqw2jHkLurHu88pUm+rllIYaeK+WoAB3cAGWi497qb+5u2SUBL8fYZApSYH2z7xGh6/k/L7m X-Received: by 2002:a05:6830:139a:: with SMTP id d26mr21300537otq.75.1582135672530; Wed, 19 Feb 2020 10:07:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582135672; cv=none; d=google.com; s=arc-20160816; b=WYJpQF8XKGVwtx6x5HaBug3RFLxRXcjUnDaeniroqq8r41IJyoO7sosPPhA+Tts5+a jKCx2QYYg/jm6t4FdvJQec9gs+13Ss3rl9mcDmPhMsFw7odz9Eu1xtV9HteXG5NVf6vJ bxeV4xB5yfQZF36PgYS/h78yHp8DNiYUhzoJX1FRDAUzGvE1bqPsRLS42o0KGzhbIw8N fgXLXGjF+dLUSe/tqqpDqXTcC7mBt4GwP58rAxGZ0jghBwA/uGZcozQPPJn9cDYSYvt9 OMSHqzqBb71fYP69s5PKhglb0S5NjJOIycjDtMikG1zVMxTOtO4sAhWJE5nE5+exR9uo TYhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=xJEVHSQjguMY4g2oSSqnpPS2h9El6xYpVcCEEai2Sb0=; b=KWY6W24CbjiKnBNNRMAsE2QmH64GngIrlwEHmQiFKnharEE+IkBFlYPJGFxlgJAo1R 5PuGu5FEH1pOeBssh5CbFXZKI5Ue0A70cGAJYjiqPKj66osMA48NRUxocJnL87JNRD+N FjhJ8nll46ZQHce6XB05cNONM7jI2vOgAyqCubTY4kS38vqnZPZ2thzY0SabDxrrxZfa hbptPbe/6RNbx/0dgYh176V+Kpr+UW0qM9Uzgkr2XzlLUGJ4AWLhFWLhjdurTvBz5BU5 tkABQXPYpSTGPv6guUB90Bo/O6regNUGuc7D+Aw7L6fhTbryK/RAowrfBjeb+5yKcLPT AFiA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l14si9715195oic.222.2020.02.19.10.07.34; Wed, 19 Feb 2020 10:07:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726551AbgBSSHV (ORCPT + 99 others); Wed, 19 Feb 2020 13:07:21 -0500 Received: from fieldses.org ([173.255.197.46]:43642 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726514AbgBSSHV (ORCPT ); Wed, 19 Feb 2020 13:07:21 -0500 Received: by fieldses.org (Postfix, from userid 2815) id 289DF1C97; Wed, 19 Feb 2020 13:07:20 -0500 (EST) Date: Wed, 19 Feb 2020 13:07:20 -0500 From: "J. Bruce Fields" To: Richard Haines Cc: smayhew@redhat.com, paul@paul-moore.com, sds@tycho.nsa.gov, selinux@vger.kernel.org, linux-nfs@vger.kernel.org Subject: Re: Test to trace NFS unlabeled bug Message-ID: <20200219180720.GA23275@fieldses.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Feb 19, 2020 at 06:03:02PM +0000, Richard Haines wrote: > I've been building selinux-testsuite tests for various filesystems and > have come across an unlabeled issue when testing. Stephen thinks that > this is a bug sometimes seen with labeled NFS, where the top-level > mounted directory shows up with unlabeled_t initially, then later gets > refreshed to a valid context. > > I've put together a test script, policy module and mount prog to > facilitate debugging this issue. I've set out how I tested this on a > Fedora 31 system below, if any problems let me know. Thanks! Adding the nfs group to the cc. I seem to recall a report of a similar bug in the Red Hat bugzilla, that I spent a little time investigating and couldn't pin down. I'll see if I can dig that up. --b. > > The nfs.sh script: > MOUNT=`stat --print %m .` > TESTDIR=`pwd` > systemctl start nfs-server > exportfs -orw,no_root_squash,security_label localhost:$MOUNT > mkdir -p /mnt/selinux-testsuite > runcon -t test_nfs_unlabeled_bug ./mount -f nfs4 -s localhost:$TESTDIR > -t /mnt/selinux-testsuite -o > "nfsvers=4.2,proto=tcp,clientaddr=127.0.0.1,addr=127.0.0.1" -v > umount /mnt/selinux-testsuite > exportfs -u localhost:$MOUNT > systemctl stop nfs-server > > Install mount.c, unlabeled_bug.te and nfs.sh > > Build mount prog: > cc mount.c -o mount -Wall > Then: > chcon -t bin_t ./mount > > Build policy module and install: > make -f /usr/share/selinux/devel/Makefile unlabeled_bug.pp > semodule -i unlabeled_bug.pp > > Clean audit log: > > /var/log/audit/audit.log > > run ./nfs.sh > > Check audit log: > audit2allow -p /etc/selinux/targeted/policy/policy.31 < > /var/log/audit/audit.log > > Should see: > #============= test_nfs_unlabeled_bug ============== > allow test_nfs_unlabeled_bug unlabeled_t:dir search; > > Once done: > semodule -r unlabeled_bug > /* cc mount.c -o mount -Wall */ > #include > #include > #include > #include > #include > #include > #include > > static void print_usage(char *progname) > { > fprintf(stderr, > "usage: %s [-s src] -t tgt [-f fs_type] [-o options]\n" > "Where:\n\t" > "-s Source path\n\t" > "-t Target path\n\t" > "-f Filesystem type\n\t" > "-o Options list (comma separated list)\n\t" > "-v Print information.\n", progname); > exit(-1); > } > > int main(int argc, char *argv[]) > { > int opt, result, save_err, flags = 0; > char *src = NULL, *tgt = NULL, *fs_type = NULL, *opts = NULL; > bool verbose = false; > > while ((opt = getopt(argc, argv, "s:t:f:o:v")) != -1) { > switch (opt) { > case 's': > src = optarg; > break; > case 't': > tgt = optarg; > break; > case 'f': > fs_type = optarg; > break; > case 'o': > opts = optarg; > break; > case 'v': > verbose = true; > break; > default: > print_usage(argv[0]); > } > } > > if (!tgt) > print_usage(argv[0]); > > if (verbose) > printf("Mounting\n\tsrc: %s\n\ttgt: %s\n\tfs_type: %s flags: 0x%x\n\topts: %s\n", > src, tgt, fs_type, flags, opts); > > result = mount(src, tgt, fs_type, flags, opts); > save_err = errno; > if (result < 0) { > fprintf(stderr, "Failed mount(2): %s\n", strerror(errno)); > return save_err; > } > > return 0; > } > > policy_module(unlabeled_bug, 1.0) > > require { > role unconfined_r; > type bin_t,user_devpts_t,nfs_t,kernel_t; > class file { entrypoint execute read }; > class capability { sys_admin }; > class system { module_request }; > class chr_file { append getattr read write }; > class dir { search }; > class filesystem { mount }; > } > > #============= test_nfs_unlabeled_bug ============== > type test_nfs_unlabeled_bug; > role unconfined_r types test_nfs_unlabeled_bug; > files_type(test_nfs_unlabeled_bug) > domain_type(test_nfs_unlabeled_bug) > allow test_nfs_unlabeled_bug bin_t:file { entrypoint execute read }; > files_mounton_default(test_nfs_unlabeled_bug) > allow test_nfs_unlabeled_bug bin_t:file map; > allow test_nfs_unlabeled_bug default_t:dir mounton; > allow test_nfs_unlabeled_bug self:capability sys_admin; > allow test_nfs_unlabeled_bug kernel_t:system module_request; > allow test_nfs_unlabeled_bug nfs_t:dir search; > allow test_nfs_unlabeled_bug nfs_t:filesystem mount; > allow test_nfs_unlabeled_bug user_devpts_t:chr_file { append getattr read write }; > > #allow test_nfs_unlabeled_bug unlabeled_t:dir search; >