From: Eric Biggers <ebiggers3@gmail.com>
To: Eryu Guan <eguan@redhat.com>
Cc: fstests@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
Gwendal Grignou <gwendal@chromium.org>,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH 2/2] common/config: don't hard-code SELinux context
Date: Mon, 13 Mar 2017 10:59:35 -0700 [thread overview]
Message-ID: <20170313175935.GA108079@gmail.com> (raw)
In-Reply-To: <20170313040226.GV14226@eguan.usersys.redhat.com>
On Mon, Mar 13, 2017 at 12:02:26PM +0800, Eryu Guan wrote:
> On Fri, Mar 10, 2017 at 04:50:48PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > If SELinux is enabled, xfstests mounts its filesystems with
> > "-o context=system_u:object_r:nfs_t:s0" so that no SELinux xattrs get
> > created and interfere with tests. However, this particular context is
> > not guaranteed to be available because the context names are a detail of
> > the SELinux policy. The SELinux policy on Android systems, for example,
> > does not have a context with this name.
> >
> > To fix this, just grab the SELinux context of the root directory. This
> > is arbitrary, but it should always provide a valid context. And any
> > valid context *should* be okay (i.e. we don't necessarily need a
> > "liberal" one), since one would likely encounter many other problems if
> > they were to run xfstests in a confined context with SELinux in
> > enforcing mode.
> >
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
>
> SELINUX_MOUNT_OPTIONS has just been updated to be configurable, you can
> set your own SELINUX_MOUNT_OPTIONS to override the default one, does
> this work for you?
>
> d8b1dc1 common/config: make SELinux protection conditional
>
> Thanks,
> Eryu
Oh, I didn't notice this. It looks like Gwendal ran into the same problem, but
on ChromeOS instead of Android.
The problem can indeed be solved by overriding SELINUX_MOUNT_OPTIONS. But I
think auto-detecting a valid context is better because then xfstests will just
work without having to override SELINUX_MOUNT_OPTIONS.
An exception would be that if for some reason someone actually wants to run
xfstests in some particular SELinux context (maybe one they've set up
specifically for xfstests), then they'd likely need to specify a particular
context when mounting.
How about just doing it both ways: use SELINUX_MOUNT_OPTIONS in the environment
if set, otherwise mount with an auto-detected valid context?
Eric
next prev parent reply other threads:[~2017-03-13 17:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-11 0:50 [PATCH 1/2] common/quota: remove redundant SELinux detection code Eric Biggers
2017-03-11 0:50 ` [PATCH 2/2] common/config: don't hard-code SELinux context Eric Biggers
2017-03-13 4:02 ` Eryu Guan
2017-03-13 17:59 ` Eric Biggers [this message]
2017-03-14 13:06 ` Eryu Guan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170313175935.GA108079@gmail.com \
--to=ebiggers3@gmail.com \
--cc=ebiggers@google.com \
--cc=eguan@redhat.com \
--cc=fstests@vger.kernel.org \
--cc=gwendal@chromium.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox