From: Anand Jain <anand.jain@oracle.com>
To: Zorro Lang <zlang@redhat.com>
Cc: Qu Wenruo <quwenruo.btrfs@gmx.com>, Qu Wenruo <wqu@suse.com>,
linux-btrfs@vger.kernel.org, fstests@vger.kernel.org,
Long An <lan@suse.com>
Subject: Re: [PATCH] btrfs/012: fix false alerts when SELinux is enabled
Date: Wed, 23 Oct 2024 17:00:08 +0800 [thread overview]
Message-ID: <1a2e7839-09c3-4584-be31-c783f940c41f@oracle.com> (raw)
In-Reply-To: <20241023041228.d3rkmmci5vnw5ict@dell-per750-06-vm-08.rhts.eng.pek2.redhat.com>
On 23/10/24 12:12, Zorro Lang wrote:
> On Tue, Oct 22, 2024 at 01:12:15PM +1030, Qu Wenruo wrote:
>>
>>
>> 在 2024/10/19 08:45, Anand Jain 写道:
>>> On 18/10/24 08:04, Qu Wenruo wrote:
>>>> [FALSE FAILURE]
>>>> If SELinux is enabled, the test btrfs/012 will fail due to metadata
>>>> mismatch:
>>>>
>>>> FSTYP -- btrfs
>>>> PLATFORM -- Linux/x86_64 localhost 6.4.0-150600.23.25-default #1
>>>> SMP PREEMPT_DYNAMIC Tue Oct 1 10:54:01 UTC 2024 (ea7c56d)
>>>> MKFS_OPTIONS -- /dev/loop1
>>>> MOUNT_OPTIONS -- -o context=system_u:object_r:root_t:s0 /dev/loop1 /
>>>> mnt/scratch
>>>>
>>>> btrfs/012 - output mismatch (see /home/adam/xfstests-dev/
>>>> results//btrfs/012.out.bad)
>>>> --- tests/btrfs/012.out 2024-10-18 10:15:29.132894338 +1030
>>>> +++ /home/adam/xfstests-dev/results//btrfs/012.out.bad
>>>> 2024-10-18 10:25:51.834819708 +1030
>>>> @@ -1,6 +1,1390 @@
>>>> QA output created by 012
>>>> Checking converted btrfs against the original one:
>>>> -OK
>>>> +metadata mismatch in /p0/d2/f4
>>>> +metadata mismatch in /p0/d2/f5
>>>> +metadata and data mismatch in /p0/d2/
>>>> +metadata and data mismatch in /p0/
>>>> ...
>>>>
>>>> [CAUSE]
>>>> All the mismatch happens in the metadata, to be more especific, it's the
>>>> security xattrs.
>>>>
>>>> Although btrfs-convert properly convert all xattrs including the
>>>> security ones, at mount time we will get new SELinux labels, causing the
>>>> mismatch between the converted and original fs.
>>>>
>>>> [FIX]
>>>> Override SELINUX_MOUNT_OPTIONS so that we will not touch the security
>>>> xattrs, and that should fix the false alert.
>>>>
>>>> Reported-by: Long An <lan@suse.com>
>>>> Link: https://bugzilla.suse.com/show_bug.cgi?id=1231524
>>>> Signed-off-by: Qu Wenruo <wqu@suse.com>
>>>> ---
>>>> tests/btrfs/012 | 5 +++++
>>>> 1 file changed, 5 insertions(+)
>>>>
>>>> diff --git a/tests/btrfs/012 b/tests/btrfs/012
>>>> index b23e039f4c9f..5811b3b339cb 100755
>>>> --- a/tests/btrfs/012
>>>> +++ b/tests/btrfs/012
>>>> @@ -32,6 +32,11 @@ _require_extra_fs ext4
>>>> BASENAME="stressdir"
>>>> BLOCK_SIZE=`_get_block_size $TEST_DIR`
>>>> +# Override the SELinux mount options, or it will lead to unexpected
>>>> +# different security.selinux between the original and converted fs,
>>>> +# causing false metadata mismatch during fssum.
>>>> +export SELINUX_MOUNT_OPTIONS=""
>>>> +
>>>
>>> SELINUX_MOUNT_OPTIONS is set only when SELinux is enabled on the system,
>>> so disabling SELinux will suffice.
>>
>> Are you suggesting to disable SELinux just to pass the test case?
>>
>> Then it doesn't sound correct to me at all.
>>
>> It should be the test case to adapt to all kinds of systems, not the
>> other way.
>
> Hi Anand, I think Qu is right, it's not worth disable the whole SELinux
> (at the beginning of fstests running), just for a single test case.
> I just hope to make sure btrfs forks agree this's a failure which should
> be fixed in test side, but not change the selinux config for btrfs-progs.
> If you're sure about it, I'll merge this patch :)
>
Yes, I realized that a bit later.
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Even if we create _require_selinux() and _reset_selinux_mount_options(),
there are only a few consumers, such as btrfs/075 and generic/700 for
the former, and btrfs/008, btrfs/019, and generic/700 for the latter.
Do you think it is better?
Thx, Anand
> Thanks,
> Zorro
>
>>
>> Thanks,
>> Qu
>>
>>>
>>> -------
>>> fstests/common/config:
>>> if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
>>> : ${SELINUX_MOUNT_OPTIONS:="-o context=$(stat -c %C /)"}
>>> export SELINUX_MOUNT_OPTIONS
>>> fi
>>> ----------
>>>
>>> Thanks, Anand
>>>
>>>> # Create & populate an ext4 filesystem
>>>> $MKFS_EXT4_PROG -F -b $BLOCK_SIZE $SCRATCH_DEV > $seqres.full 2>&1 || \
>>>> _notrun "Could not create ext4 filesystem"
>>>
>>>
>>
>>
>
next prev parent reply other threads:[~2024-10-23 9:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-18 0:04 [PATCH] btrfs/012: fix false alerts when SELinux is enabled Qu Wenruo
2024-10-18 22:15 ` Anand Jain
2024-10-22 2:42 ` Qu Wenruo
2024-10-23 4:12 ` Zorro Lang
2024-10-23 9:00 ` Anand Jain [this message]
2024-10-23 9:27 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a2e7839-09c3-4584-be31-c783f940c41f@oracle.com \
--to=anand.jain@oracle.com \
--cc=fstests@vger.kernel.org \
--cc=lan@suse.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
--cc=wqu@suse.com \
--cc=zlang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).