From: Eric Biggers <ebiggers3@gmail.com>
To: fstests@vger.kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>, Eric Biggers <ebiggers@google.com>
Subject: [PATCH 2/2] common/config: don't hard-code SELinux context
Date: Fri, 10 Mar 2017 16:50:48 -0800 [thread overview]
Message-ID: <20170311005048.128477-2-ebiggers3@gmail.com> (raw)
In-Reply-To: <20170311005048.128477-1-ebiggers3@gmail.com>
From: Eric Biggers <ebiggers@google.com>
If SELinux is enabled, xfstests mounts its filesystems with
"-o context=system_u:object_r:nfs_t:s0" so that no SELinux xattrs get
created and interfere with tests. However, this particular context is
not guaranteed to be available because the context names are a detail of
the SELinux policy. The SELinux policy on Android systems, for example,
does not have a context with this name.
To fix this, just grab the SELinux context of the root directory. This
is arbitrary, but it should always provide a valid context. And any
valid context *should* be okay (i.e. we don't necessarily need a
"liberal" one), since one would likely encounter many other problems if
they were to run xfstests in a confined context with SELinux in
enforcing mode.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
common/config | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/common/config b/common/config
index fb60216c..ab635767 100644
--- a/common/config
+++ b/common/config
@@ -259,11 +259,16 @@ case "$HOSTOS" in
esac
# SELinux adds extra xattrs which can mess up our expected output.
-# So, mount with a context, and they won't be created
-# # nfs_t is a "liberal" context so we can use it.
+# So, mount with a context, and they won't be created.
+#
+# Since the context= option only accepts contexts defined in the
+# SELinux policy, and different systems may have different policies
+# with different context names, use the context of an existing
+# directory. (Assume that any valid context is fine, since xfstests
+# should really only be run from an "unconfined" process, or with
+# SELinux in permissive mode.)
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
- SELINUX_MOUNT_OPTIONS="-o context=system_u:object_r:nfs_t:s0"
- export SELINUX_MOUNT_OPTIONS
+ export SELINUX_MOUNT_OPTIONS="-o context=$(stat -c %C /)"
fi
# check if mkfs.xfs supports v5 xfs
--
2.12.0.246.ga2ecc84866-goog
next prev parent reply other threads:[~2017-03-11 0:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-11 0:50 [PATCH 1/2] common/quota: remove redundant SELinux detection code Eric Biggers
2017-03-11 0:50 ` Eric Biggers [this message]
2017-03-13 4:02 ` [PATCH 2/2] common/config: don't hard-code SELinux context Eryu Guan
2017-03-13 17:59 ` Eric Biggers
2017-03-14 13:06 ` Eryu Guan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170311005048.128477-2-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=ebiggers@google.com \
--cc=fstests@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.