All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: SElinux list <selinux@vger.kernel.org>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH] selinux-testsuite: update to work on Debian
Date: Wed, 6 May 2020 09:44:39 -0400	[thread overview]
Message-ID: <CAEjxPJ7GVYBTKyiQM8_XdnbXk26-Eq_cPAs1zrtK8Aj=FfZd_A@mail.gmail.com> (raw)
In-Reply-To: <20200506005339.13641-1-stephen.smalley.work@gmail.com>

On Tue, May 5, 2020 at 8:54 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> Update the testsuite policy and code so that it builds and
> runs on Debian unstable and stable successfully (if one has
> already enabled SELinux on Debian).  Provide the necessary
> dependencies and instructions in the README.

A few notes for anyone trying to run this on Debian:

1) There is an open bug in Debian around gdm login shells running in
the wrong context (initrc_t instead of unconfined_t),
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874191, due to the
/sys/fs/selinux/user ERANGE problem breaking pam_selinux for the
systemd --user instance and the lack of either a policy workaround (as
previously done in Fedora to limit outbound transitions from init_t to
only valid cases) or the recent libselinux fix (to stop using
/sys/fs/selinux/user altogether).  To permit testing without requiring
my own custom policy or libselinux, I simply ran the tests from a ssh
login rather than a graphical login.  Non-graphical console login
probably would have worked too but I didn't try. But I have escalated
the bug with the Debian SELinux maintainers in hopes of getting that
fixed.

2) In Debian unstable, I also had to setsebool -P ssh_sysadm_login=1
to allow ssh login as unconfined.  I let the Debian SELinux
maintainers know but it isn't clear they will change the default.

3) Debian policy package ships with /etc/selinux/config set to
permissive since the policy often doesn't work cleanly out of the box,
so I had to manually setenforce 1 before running the testsuite.  This
btw killed any gdm login sessions as well due to missing execmem and
other permissions so that's another reason to not do it from a gdm
login under their current policy.

4) The Debian stable kernel didn't enable CONFIG_NETLABEL so all of
the netlabel-dependent inet_socket tests failed on stable.  Debian
unstable kernel had CONFIG_NETLABEL enabled and they all passed there.
I didn't consider it worthwhile to build my own Debian stable kernel
for testing it; I just wanted to ensure that the policy worked, which
I consider the Debian unstable test to prove.

Interestingly, on Debian unstable, we end up running more tests than
on Fedora rawhide currently: 64 test scripts with 869 individual tests
versus 62 test scripts with 824 individual tests.  This is because
Debian unstable's policy (which is based on a recent snapshot of
refpolicy) has class and permission definitions for everything in its
kernel except the lockdown class, versus Fedora which lacks the watch*
permissions as well as the perf_event and lockdown classes.

  reply	other threads:[~2020-05-06 13:44 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-06  0:53 [PATCH] selinux-testsuite: update to work on Debian Stephen Smalley
2020-05-06 13:44 ` Stephen Smalley [this message]
2020-05-06 14:57   ` William Roberts
2020-05-06 15:50     ` Stephen Smalley
2020-05-06 15:54       ` William Roberts
2020-05-06 16:37       ` Russell Coker
2020-05-07  8:35         ` Laurent Bigonville
2020-05-07 12:51           ` Stephen Smalley
2020-05-07 13:13             ` Petr Lautrbach
2020-05-07 13:32               ` Stephen Smalley
2020-05-07 13:41             ` Laurent Bigonville
2020-05-08  3:03             ` Paul Moore
2020-05-13 15:51               ` Stephen Smalley
2020-05-15 16:27                 ` William Roberts
2020-05-15 16:41                   ` Ondrej Mosnacek
2020-05-15 16:46                     ` William Roberts
2020-05-15 17:18                       ` Ondrej Mosnacek
2020-05-15 17:24                         ` William Roberts
2020-05-07 14:49           ` Russell Coker
2020-05-07 14:54             ` Stephen Smalley
2020-05-07 15:01               ` William Roberts
2020-05-07 15:12                 ` Stephen Smalley
2020-05-07 15:22                   ` William Roberts
2020-05-12 11:19                     ` Petr Lautrbach
     [not found]       ` <CAJVWAV07O-cQ5EzqYpodjeVRjdtD7ga=bUwEiTm00BaKRMiyFQ@mail.gmail.com>
2020-05-06 19:17         ` Fwd: " Dac Override
2020-05-06 20:07           ` Stephen Smalley
2020-05-06 19:37 ` Ondrej Mosnacek
2020-05-06 19:57   ` Stephen Smalley
2020-05-06 20:26     ` Stephen Smalley
2020-05-07  8:24       ` Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAEjxPJ7GVYBTKyiQM8_XdnbXk26-Eq_cPAs1zrtK8Aj=FfZd_A@mail.gmail.com' \
    --to=stephen.smalley.work@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.