3 # Run select tests by setting ONLY, or as arguments to the script.
4 # Skip specific tests by setting EXCEPT.
6 # e.g. ONLY="22 23" or ONLY="`seq 32 39`" or EXCEPT="31"
10 # bug number for skipped test:
11 ALWAYS_EXCEPT=${ALWAYS_EXCEPT:-"$SANITY_SELINUX_EXCEPT"}
12 # UPDATE THE COMMENT ABOVE WITH BUG NUMBERS WHEN CHANGING ALWAYS_EXCEPT!
17 LUSTRE=${LUSTRE:-$(dirname $0)/..}
18 . $LUSTRE/tests/test-framework.sh
20 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
23 require_dsh_mds || exit 0
25 [ "$SLOW" = "no" ] && EXCEPT_SLOW="xxx"
27 # $RUNAS_ID may get set incorrectly somewhere else
28 [ $UID -eq 0 -a $RUNAS_ID -eq 0 ] &&
29 error "RUNAS_ID set to 0, but UID is also 0!"
32 # global variables of this sanity
36 echo -n "Checking SELinux environment... "
37 local selinux_status=$(getenforce)
38 if [ "$selinux_status" != "Enforcing" ]; then
39 skip "SELinux is currently in $selinux_status mode," \
40 "but it must be enforced to run sanity-selinux" && exit 0
42 local selinux_policy=$(sestatus |
43 awk -F':' '$1 == "Loaded policy name" {print $2}' |
45 if [ -z "$selinux_policy" ]; then
46 selinux_policy=$(sestatus |
47 awk -F':' '$1 == "Policy from config file"
51 [ "$selinux_policy" == "targeted" ] ||
52 error "Accepting only targeted policy"
53 echo "$selinux_status, $selinux_policy"
58 # we want double mount
59 MOUNT_2=${MOUNT_2:-"yes"}
60 check_and_setup_lustre
62 rm -rf $DIR/[df][0-9]*
64 check_runas_id $RUNAS_ID $RUNAS_ID $RUNAS
70 check_selinux_xattr() {
73 local mds_dev=$(facet_device $mds)
74 local mntpt="/tmp/mdt_"
77 do_facet $mds mkdir -p $mntpt || error "mkdir $mntpt failed"
78 mount_fstype $mds $mntpt || error "mount $mds failed"
80 local xattrval=$(do_facet $mds getfattr -n security.selinux \
81 ${mntpt}/ROOT/$mds_path |
82 awk -F"=" '$1=="security.selinux" {print $2}')
84 unmount_fstype $mds $mntpt || error "umount $mds failed"
85 do_facet $mds rmdir $mntpt || error "rmdir $mntpt failed"
92 local devname=$(mdsdevname 1)
93 local filename=${DIR}/${tdir}/df1
94 local mds_path=${filename#$MOUNT}
96 mds_path=${mds_path#/}
98 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir $tdir failed"
99 touch $filename || error "cannot touch $filename"
101 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
103 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
104 error "security.selinux xattr is not set"
106 run_test 1 "create file and check security.selinux xattr is set on MDT"
109 local devname=$(mdsdevname 1)
110 local dirname=${DIR}/${tdir}/dir2a
111 local mds_path=${dirname#$MOUNT}
113 mds_path=${mds_path#/}
115 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
116 mkdir $dirname || error "cannot mkdir $dirname"
118 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
120 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
121 error "security.selinux xattr is not set"
123 run_test 2a "create dir (mkdir) and check security.selinux xattr is set on MDT"
126 local devname=$(mdsdevname 1)
127 local dirname1=${DIR}/$tdir/dir2b1
128 local dirname2=${DIR}/$tdir/dir2b2
129 local mds_path=${dirname1#$MOUNT}
131 mds_path=${mds_path#/}
133 $LFS setdirstripe -i0 -c1 ${DIR}/$tdir || error "create dir failed"
134 $LFS mkdir -c0 $dirname1 || error "cannot 'lfs mkdir' $dirname1"
136 local xattrval=$(check_selinux_xattr "mds1" $mds_path)
138 mds_path=${dirname2#$MOUNT}
139 mds_path=${mds_path#/}
141 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
142 error "security.selinux xattr is not set"
144 $LFS setdirstripe -i0 $dirname2 ||
145 error "cannot 'lfs setdirstripe' $dirname2"
147 xattrval=$(check_selinux_xattr "mds1" $mds_path)
149 [ -n "$xattrval" -a "$xattrval" != '""' ] ||
150 error "security.selinux xattr is not set"
152 run_test 2b "create dir with lfs and check security.selinux xattr is set on MDT"
155 local filename=$DIR/df3
157 # get current mapping of runasid, and save it
158 local uname=$(getent passwd $RUNAS_ID | cut -d: -f1)
159 local sename=$(semanage login -l |
160 awk -v uname=$uname '$1==uname {print $2}')
161 local serange=$(semanage login -l |
162 awk -v uname=$uname '$1==uname {print $3}')
164 # change mapping of runasid to unconfined_u
165 semanage login -a -s unconfined_u $uname ||
166 error "unable to map $uname to unconfined_u"
169 echo "${uname} mapped as unconfined_u: touch $filename"
170 $PDSH ${uname}@localhost "touch $filename" ||
171 error "can't touch $filename"
172 echo "${uname} mapped as unconfined_u: rm -f $filename"
173 $PDSH ${uname}@localhost "rm -f $filename" ||
174 error "can't remove $filename"
176 # restore original mapping of runasid
177 if [ -n "$sename" ]; then
178 if [ -n "$serange" ]; then
179 semanage login -a -s $sename -r $serange $uname ||
180 error "unable to restore mapping for $uname"
182 semanage login -a -s $sename $uname ||
183 error "unable to restore mapping for $uname"
186 semanage login -d $uname
191 run_test 3 "access with unconfined user"
194 local filename=$DIR/df4
196 # get current mapping of runasid, and save it
197 local uname=$(getent passwd $RUNAS_ID | cut -d: -f1)
198 local sename=$(semanage login -l |
199 awk -v uname=$uname '$1==uname {print $2}')
200 local serange=$(semanage login -l |
201 awk -v uname=$uname '$1==uname {print $3}')
203 # change mapping of runasid to guest_u
204 semanage login -a -s guest_u $uname ||
205 error "unable to map $uname to guest_u"
208 echo "${uname} mapped as guest_u: touch $filename"
209 $PDSH ${uname}@localhost "touch $filename" &&
210 error "touch $filename should have failed"
212 # change mapping of runasid to user_u
213 semanage login -a -s user_u $uname ||
214 error "unable to map $uname to user_u"
217 echo "${uname} mapped as user_u: touch $filename"
218 $PDSH ${uname}@localhost "touch $filename" ||
219 error "can't touch $filename"
220 echo "${uname} mapped as user_u: rm -f $filename"
221 $PDSH ${uname}@localhost "rm -f $filename" ||
222 error "can't remove $filename"
224 # restore original mapping of runasid
225 if [ -n "$sename" ]; then
226 if [ -n "$serange" ]; then
227 semanage login -a -s $sename -r $serange $uname ||
228 error "unable to restore mapping for $uname"
230 semanage login -a -s $sename $uname ||
231 error "unable to restore mapping for $uname"
234 semanage login -d $uname
239 run_test 4 "access with specific SELinux user"
242 local filename=$DIR/df5
243 local newsecctx="nfs_t"
246 touch $filename || error "cannot touch $filename"
249 chcon -t $newsecctx $filename
252 # purge client's cache
253 sync ; echo 3 > /proc/sys/vm/drop_caches
257 local secctxseen=$(ls -lZ $filename | awk '{print $4}' | cut -d: -f3)
259 [ "$newsecctx" == "$secctxseen" ] ||
260 error "sec context seen from 1st mount point is not correct"
264 run_test 5 "security context retrieval from MDT xattr"
267 local filename1=$DIR/df10
268 local filename2=$DIR2/df10
269 local newsecctx="nfs_t"
271 # create file from 1st mount point
272 touch $filename1 || error "cannot touch $filename1"
275 # change sec context from 2nd mount point
276 chcon -t $newsecctx $filename2
279 # get sec context from 1st mount point
281 local secctxseen=$(ls -lZ $filename1 | awk '{print $4}' | cut -d: -f3)
283 [ "$newsecctx" == "$secctxseen" ] ||
284 error "sec context seen from 1st mount point is not correct"
288 run_test 10 "[consistency] concurrent security context change"
291 local uname=$(getent passwd $RUNAS_ID | cut -d: -f1)
292 local filename1=$DIR/df20a
293 local filename2=$DIR2/df20a
296 # sleep some time in ll_create_nd()
297 #define OBD_FAIL_LLITE_CREATE_FILE_PAUSE 0x1409
298 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x1409"
300 # create file on first mount point
301 $PDSH ${uname}@localhost "touch $filename1" &
305 if [[ -z "$(ps h -o comm -p $touchpid)" ]]; then
306 error "touch failed to sleep, pid=$touchpid"
309 # get sec info on second mount point
310 if [ -e "$filename2" ]; then
311 secinfo2=$(ls -lZ $filename2 | awk '{print $4}')
314 # get sec info on first mount point
316 secinfo1=$(ls -lZ $filename1 | awk '{print $4}')
318 # compare sec contexts
319 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
320 error "sec context seen from 2nd mount point is not correct"
324 run_test 20a "[atomicity] concurrent access from another client (file)"
327 local uname=$(getent passwd $RUNAS_ID | cut -d: -f1)
328 local dirname1=$DIR/dd20b
329 local dirname2=$DIR2/dd20b
332 # sleep some time in ll_create_nd()
333 #define OBD_FAIL_LLITE_NEWNODE_PAUSE 0x140a
334 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x140a"
336 # create file on first mount point
337 $PDSH ${uname}@localhost "mkdir $dirname1" &
341 if [[ -z "$(ps h -o comm -p $mkdirpid)" ]]; then
342 error "mkdir failed to sleep, pid=$mkdirpid"
345 # get sec info on second mount point
346 if [ -e "$dirname2" ]; then
347 secinfo2=$(ls -ldZ $dirname2 | awk '{print $4}')
352 # get sec info on first mount point
354 secinfo1=$(ls -ldZ $dirname1 | awk '{print $4}')
356 # compare sec contexts
357 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
358 error "sec context seen from 2nd mount point is not correct"
362 run_test 20b "[atomicity] concurrent access from another client (dir)"
365 local dirname1=$DIR/dd20c
366 local dirname2=$DIR2/dd20c
369 # sleep some time in ll_create_nd()
370 #define OBD_FAIL_LLITE_SETDIRSTRIPE_PAUSE 0x140b
371 do_facet client "$LCTL set_param fail_val=$req_delay fail_loc=0x140b"
373 # create file on first mount point
374 lfs mkdir -c0 $dirname1 &
378 if [[ -z "$(ps h -o comm -p $mkdirpid)" ]]; then
379 error "lfs mkdir failed to sleep, pid=$mkdirpid"
382 # get sec info on second mount point
383 if [ -e "$dirname2" ]; then
384 secinfo2=$(ls -ldZ $dirname2 | awk '{print $4}')
389 # get sec info on first mount point
391 secinfo1=$(ls -ldZ $dirname1 | awk '{print $4}')
393 # compare sec contexts
394 [ -z "$secinfo2" -o "$secinfo1" == "$secinfo2" ] ||
395 error "sec context seen from 2nd mount point is not correct"
399 run_test 20c "[atomicity] concurrent access from another client (dir via lfs)"
403 check_and_cleanup_lustre