android-xfstests: allow detection of SELinux

Commit Message

Eric Biggers March 11, 2017, 12:53 a.m. UTC

From: Eric Biggers <ebiggers@google.com>

xfstests is supposed to disable the creation of SELinux xattrs because
this interferes with some tests (e.g. generic/062 and generic/377), but
this was not working on Android.  For the android-xfstests portion of
the fix, make the following changes:

1. To stop the mount program from stripping the 'context' mount option,
mount selinuxfs and create an empty /etc/selinux/config.  This makes the
is_selinux_enabled() function from libselinux return true.

2. To stop xfstests from thinking that SELinux is disabled, link
/usr/sbin/selinuxenabled to /bin/true.  (Note: getting the real version
of selinuxenabled by adding selinux-utils to the chroot tarball would
also work, though no other programs from it are needed yet, and some
don't work in the chroot environment yet.)

In combination with the xfstests patch to stop hard-coding SELinux
contexts in xfstests, this fixes the failing tests.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 kvm-xfstests/android-xfstests | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Theodore Ts'o March 11, 2017, 1:57 a.m. UTC | #1

On Fri, Mar 10, 2017 at 04:53:06PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> xfstests is supposed to disable the creation of SELinux xattrs because
> this interferes with some tests (e.g. generic/062 and generic/377), but
> this was not working on Android.  For the android-xfstests portion of
> the fix, make the following changes:
> 
> 1. To stop the mount program from stripping the 'context' mount option,
> mount selinuxfs and create an empty /etc/selinux/config.  This makes the
> is_selinux_enabled() function from libselinux return true.
> 
> 2. To stop xfstests from thinking that SELinux is disabled, link
> /usr/sbin/selinuxenabled to /bin/true.  (Note: getting the real version
> of selinuxenabled by adding selinux-utils to the chroot tarball would
> also work, though no other programs from it are needed yet, and some
> don't work in the chroot environment yet.)
> 
> In combination with the xfstests patch to stop hard-coding SELinux
> contexts in xfstests, this fixes the failing tests.

Thanks!

I think you're missing the list of tests this fixes here?

  	       	       	   	- Ted
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eric Biggers March 11, 2017, 3:47 a.m. UTC | #2

On Fri, Mar 10, 2017 at 08:57:36PM -0500, Theodore Ts'o wrote:
> On Fri, Mar 10, 2017 at 04:53:06PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > xfstests is supposed to disable the creation of SELinux xattrs because
> > this interferes with some tests (e.g. generic/062 and generic/377), but
> > this was not working on Android.  For the android-xfstests portion of
> > the fix, make the following changes:
> > 
> > 1. To stop the mount program from stripping the 'context' mount option,
> > mount selinuxfs and create an empty /etc/selinux/config.  This makes the
> > is_selinux_enabled() function from libselinux return true.
> > 
> > 2. To stop xfstests from thinking that SELinux is disabled, link
> > /usr/sbin/selinuxenabled to /bin/true.  (Note: getting the real version
> > of selinuxenabled by adding selinux-utils to the chroot tarball would
> > also work, though no other programs from it are needed yet, and some
> > don't work in the chroot environment yet.)
> > 
> > In combination with the xfstests patch to stop hard-coding SELinux
> > contexts in xfstests, this fixes the failing tests.
> 
> Thanks!
> 
> I think you're missing the list of tests this fixes here?
> 
>   	       	       	   	- Ted

They're mentioned at the top: generic/062 and generic/377.  There may be others
among tests not being run, but those were the ones I observed were fixed.

Eric
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eric Biggers April 27, 2017, 6:16 p.m. UTC | #3

On Fri, Mar 10, 2017 at 04:53:06PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> xfstests is supposed to disable the creation of SELinux xattrs because
> this interferes with some tests (e.g. generic/062 and generic/377), but
> this was not working on Android.  For the android-xfstests portion of
> the fix, make the following changes:
> 
> 1. To stop the mount program from stripping the 'context' mount option,
> mount selinuxfs and create an empty /etc/selinux/config.  This makes the
> is_selinux_enabled() function from libselinux return true.
> 
> 2. To stop xfstests from thinking that SELinux is disabled, link
> /usr/sbin/selinuxenabled to /bin/true.  (Note: getting the real version
> of selinuxenabled by adding selinux-utils to the chroot tarball would
> also work, though no other programs from it are needed yet, and some
> don't work in the chroot environment yet.)
> 
> In combination with the xfstests patch to stop hard-coding SELinux
> contexts in xfstests, this fixes the failing tests.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Ted, this patch seems to have gotten lost; can you apply it?  The corresponding
xfstests-dev fix has already been merged.  Thanks!

- Eric
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Theodore Ts'o April 29, 2017, 4:40 p.m. UTC | #4

On Fri, Mar 10, 2017 at 04:53:06PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> xfstests is supposed to disable the creation of SELinux xattrs because
> this interferes with some tests (e.g. generic/062 and generic/377), but
> this was not working on Android.  For the android-xfstests portion of
> the fix, make the following changes:
> 
> 1. To stop the mount program from stripping the 'context' mount option,
> mount selinuxfs and create an empty /etc/selinux/config.  This makes the
> is_selinux_enabled() function from libselinux return true.
> 
> 2. To stop xfstests from thinking that SELinux is disabled, link
> /usr/sbin/selinuxenabled to /bin/true.  (Note: getting the real version
> of selinuxenabled by adding selinux-utils to the chroot tarball would
> also work, though no other programs from it are needed yet, and some
> don't work in the chroot environment yet.)
> 
> In combination with the xfstests patch to stop hard-coding SELinux
> contexts in xfstests, this fixes the failing tests.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Applied, thanks.

					- Ted
--
To unsubscribe from this list: send the line "unsubscribe fstests" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/kvm-xfstests/android-xfstests b/kvm-xfstests/android-xfstests
index 7e3eab3..e798c7e 100755
--- a/kvm-xfstests/android-xfstests
+++ b/kvm-xfstests/android-xfstests
@@ -81,6 +81,14 @@  chroot_prepare()
 ! mountpoint $CHROOT_DIR/proc > /dev/null && mount proc -t proc $CHROOT_DIR/proc
 ! mountpoint $CHROOT_DIR/dev > /dev/null && mount --bind /dev $CHROOT_DIR/dev
 
+# Allow xfstests to detect that SELinux is in use.
+! mountpoint $CHROOT_DIR/sys/fs/selinux > /dev/null && \
+		mount selinuxfs -t selinuxfs $CHROOT_DIR/sys/fs/selinux
+touch $CHROOT_DIR/etc/selinux/config
+if [ ! -e $CHROOT_DIR/usr/sbin/selinuxenabled ]; then
+	ln $CHROOT_DIR/bin/true $CHROOT_DIR/usr/sbin/selinuxenabled
+fi
+
 # 'mountpoint' doesn't work with directory bind mounts; use /proc/mounts instead
 if ! cut -d' ' -f2 /proc/mounts 2>/dev/null | grep -q '^$CHROOT_DIR/results$'; then
     mkdir -p $RESULTS_DIR
@@ -92,6 +100,7 @@  EOF
 chroot_wipe()
 {
     cat <<EOF | adb shell
+umount $CHROOT_DIR/sys/fs/selinux &> /dev/null
 umount $CHROOT_DIR/sys &> /dev/null
 umount $CHROOT_DIR/proc &> /dev/null
 umount $CHROOT_DIR/dev &> /dev/null