| Message ID | 20200508154138.24217-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Update to work on Debian | expand |
On Fri, May 8, 2020 at 11:42 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > Update the selinux testsuite to work on Debian and provide > instructions for building and running it there. NB With this series applied and the separate quotastest fix, I was able to also run the testsuite on Ubuntu 20.04. On Ubuntu I had to build upstream libbpf from source because libbpf-dev was not packaged in Ubuntu unlike Debian (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836708). The Ubuntu kernel had two test failures: mmap/test (Wstat: 0 Tests: 39 Failed: 1) Failed test: 2 checkreqprot/test (Wstat: 0 Tests: 1 Failed: 1) Failed test: 1 These were both due to kernel configuration in their stock kernel: CONFIG_LSM_MMAP_MIN_ADDR=0 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 The latter isn't too surprising since it used to be the default and likely just got carried forward in newer kernel configs. The former is rather odd; not sure how that happened.
On Fri, May 8, 2020 at 5:42 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > Update the selinux testsuite to work on Debian and provide > instructions for building and running it there. > > v4 splits the patch into one patch per logical change, updates > some of the descriptions, drops an unnecessary constraint > (only appear to need the peer recv constraint from Fedora for > the current tests, not the packet/SECMARK constraint), cleans up > the Makefile, and updates the test for noexec dev to match > any "/dev .*noexec" instead of just devtmpfs since not everyone > uses devtmpfs. > > Stephen Smalley (15): > test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports() > test_execute_no_trans.te: stop using mmap_file_perms > test_ibendport.te: use dev_rw_infiniband_mgmt_dev() > test_global.te: allow test domains to statfs selinuxfs > test_inet_socket.te: switch from generic_port to > _all_unreserved_ports() > test_sctp.te: make netlabel_peer_t a MCS-constrained type > test_policy.if: use ptynode instead of unconfined_devpts_t > test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files > policy: Add MCS constraint on peer recv > policy: Add defaultrange rules for overlay tests > test_filesystem.te,tests/{fs_}filesystem: do not force user identity > to system_u > policy/Makefile: conditionalize setting of allow_domain_fd_use > tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if > needed > tests/mmap: skip /dev/zero tests if /dev is noexec > README.md: Add instructions for Debian With the exception of 07/15, on which I had a small comment: Acked-by: Ondrej Mosnacek <omosnace@redhat.com> (No need to respin the whole series in case you are going to respin 07. I can just splice it in before merging or apply on top.) -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
On Tue, May 12, 2020 at 11:43 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Fri, May 8, 2020 at 5:42 PM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > Update the selinux testsuite to work on Debian and provide > > instructions for building and running it there. > > > > v4 splits the patch into one patch per logical change, updates > > some of the descriptions, drops an unnecessary constraint > > (only appear to need the peer recv constraint from Fedora for > > the current tests, not the packet/SECMARK constraint), cleans up > > the Makefile, and updates the test for noexec dev to match > > any "/dev .*noexec" instead of just devtmpfs since not everyone > > uses devtmpfs. > > > > Stephen Smalley (15): > > test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports() > > test_execute_no_trans.te: stop using mmap_file_perms > > test_ibendport.te: use dev_rw_infiniband_mgmt_dev() > > test_global.te: allow test domains to statfs selinuxfs > > test_inet_socket.te: switch from generic_port to > > _all_unreserved_ports() > > test_sctp.te: make netlabel_peer_t a MCS-constrained type > > test_policy.if: use ptynode instead of unconfined_devpts_t > > test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files > > policy: Add MCS constraint on peer recv > > policy: Add defaultrange rules for overlay tests > > test_filesystem.te,tests/{fs_}filesystem: do not force user identity > > to system_u > > policy/Makefile: conditionalize setting of allow_domain_fd_use > > tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if > > needed > > tests/mmap: skip /dev/zero tests if /dev is noexec > > README.md: Add instructions for Debian > > With the exception of 07/15, on which I had a small comment: > > Acked-by: Ondrej Mosnacek <omosnace@redhat.com> > > (No need to respin the whole series in case you are going to respin > 07. I can just splice it in before merging or apply on top.) All patches now applied (with v5 of 07/15).
Update the selinux testsuite to work on Debian and provide instructions for building and running it there. v4 splits the patch into one patch per logical change, updates some of the descriptions, drops an unnecessary constraint (only appear to need the peer recv constraint from Fedora for the current tests, not the packet/SECMARK constraint), cleans up the Makefile, and updates the test for noexec dev to match any "/dev .*noexec" instead of just devtmpfs since not everyone uses devtmpfs. Stephen Smalley (15): test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports() test_execute_no_trans.te: stop using mmap_file_perms test_ibendport.te: use dev_rw_infiniband_mgmt_dev() test_global.te: allow test domains to statfs selinuxfs test_inet_socket.te: switch from generic_port to _all_unreserved_ports() test_sctp.te: make netlabel_peer_t a MCS-constrained type test_policy.if: use ptynode instead of unconfined_devpts_t test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files policy: Add MCS constraint on peer recv policy: Add defaultrange rules for overlay tests test_filesystem.te,tests/{fs_}filesystem: do not force user identity to system_u policy/Makefile: conditionalize setting of allow_domain_fd_use tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if needed tests/mmap: skip /dev/zero tests if /dev is noexec README.md: Add instructions for Debian README.md | 66 +++++++++++++++++++++++++++- policy/Makefile | 23 +++++++--- policy/test_capable_net.te | 2 - policy/test_execute_no_trans.te | 3 +- policy/test_filesystem.te | 1 + policy/test_global.te | 1 + policy/test_ibendport.te | 9 ++-- policy/test_inet_socket.te | 22 +++++----- policy/test_mlsconstrain.cil | 2 + policy/test_overlay_defaultrange.cil | 7 +++ policy/test_overlayfs.te | 1 + policy/test_policy.if | 4 +- policy/test_sctp.te | 1 + tests/cap_userns/test | 8 ++++ tests/filesystem/test | 2 +- tests/fs_filesystem/test | 2 +- tests/mmap/test | 48 +++++++++++++------- 17 files changed, 154 insertions(+), 48 deletions(-) create mode 100644 policy/test_mlsconstrain.cil create mode 100644 policy/test_overlay_defaultrange.cil