Anyone using the SELinux test suite on Fedora 28?

Anyone using the SELinux test suite on Fedora 28?

[Casey Schaufler]

Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.

Re: Anyone using the SELinux test suite on Fedora 28?

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 331 bytes --]

It's been running fine for me. Maybe you just need to clean your tree and
do a fresh make test.

On Mon, May 14, 2018, 7:37 PM Casey Schaufler <casey@schaufler-ca.com>
wrote:

> Has anyone had success with the SELinux test suite on Fedora 28?
> I find the chcon and newrole are unhappy with the contexts used
> in the suite.
>
>
>

[-- Attachment #2: Type: text/html, Size: 597 bytes --]

Re: Anyone using the SELinux test suite on Fedora 28?

[Casey Schaufler]

[-- Attachment #1: Type: text/plain, Size: 2011 bytes --]

On 5/14/2018 4:48 PM, Stephen Smalley wrote:
> It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.

Did that first thing.

Digging down, I find that the "make -C policy load" is failing.

make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
/usr/sbin/semodule -i test_policy/test_policy.pp
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
  (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2565
      (allow test_create_no_t unconfined_t (process (sigchld)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2569
      (allow test_create_no_t self (process (transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2606
      (allow test_create_no_t self (process (setexec)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2634
      (allow test_create_d sysadm_t (process (sigchld)))

I bet the reason it's doing this is obvious. Just not to me.

> On Mon, May 14, 2018, 7:37 PM Casey Schaufler <casey@schaufler-ca.com <mailto:casey@schaufler-ca.com>> wrote:
>
>     Has anyone had success with the SELinux test suite on Fedora 28?
>     I find the chcon and newrole are unhappy with the contexts used
>     in the suite.
>
>


[-- Attachment #2: Type: text/html, Size: 2857 bytes --]

Re: Anyone using the SELinux test suite on Fedora 28?

[Paul Moore]

I run it several times a week on Rawhide, it's running fine for me.

FWIW, usually when people are having a problem running the
selinux-testsuite it is because they didn't follow the README very
closely.  I'm not saying that's the case here, but it couldn't hurt to
give it a second look ...

On Mon, May 14, 2018 at 7:48 PM, Stephen Smalley
<stephen.smalley@gmail.com> wrote:
> It's been running fine for me. Maybe you just need to clean your tree and do
> a fresh make test.
>
> On Mon, May 14, 2018, 7:37 PM Casey Schaufler <casey@schaufler-ca.com>
> wrote:
>>
>> Has anyone had success with the SELinux test suite on Fedora 28?
>> I find the chcon and newrole are unhappy with the contexts used
>> in the suite.

-- 
paul moore
www.paul-moore.com

Re: Anyone using the SELinux test suite on Fedora 28?

[Stephen Smalley]

On 05/14/2018 08:10 PM, Casey Schaufler wrote:
> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>> It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
> 
> Did that first thing.
> 
> Digging down, I find that the "make -C policy load" is failing.
> 
> make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
> # General policy load
> /usr/sbin/semodule -i test_policy/test_policy.pp
> neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
>   (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
>     <root>
>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2565
>       (allow test_create_no_t unconfined_t (process (sigchld)))
>     <root>
>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2569
>       (allow test_create_no_t self (process (transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
>     <root>
>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2606
>       (allow test_create_no_t self (process (setexec)))
>     <root>
>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2634
>       (allow test_create_d sysadm_t (process (sigchld)))
> 
> I bet the reason it's doing this is obvious. Just not to me.

Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
That's noted in the README but used to be the default in Fedora (changed in 28).

> 
>> On Mon, May 14, 2018, 7:37 PM Casey Schaufler <casey@schaufler-ca.com <mailto:casey@schaufler-ca.com>> wrote:
>>
>>     Has anyone had success with the SELinux test suite on Fedora 28?
>>     I find the chcon and newrole are unhappy with the contexts used
>>     in the suite.
>>
>>
> 

Re: Anyone using the SELinux test suite on Fedora 28?

[Stephen Smalley]

On 05/15/2018 08:28 AM, Stephen Smalley wrote:
> On 05/14/2018 08:10 PM, Casey Schaufler wrote:
>> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>>> It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
>>
>> Did that first thing.
>>
>> Digging down, I find that the "make -C policy load" is failing.
>>
>> make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
>> # General policy load
>> /usr/sbin/semodule -i test_policy/test_policy.pp
>> neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
>>   (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
>>     <root>
>>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2565
>>       (allow test_create_no_t unconfined_t (process (sigchld)))
>>     <root>
>>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2569
>>       (allow test_create_no_t self (process (transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
>>     <root>
>>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2606
>>       (allow test_create_no_t self (process (setexec)))
>>     <root>
>>     allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2634
>>       (allow test_create_d sysadm_t (process (sigchld)))
>>
>> I bet the reason it's doing this is obvious. Just not to me.
> 
> Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
> That's noted in the README but used to be the default in Fedora (changed in 28).

Also, just FYI, expand-check controls whether neverallow and type bounds checking is performed when the policy
is linked/expanded.  The test policy necessarily violates some of these policy assertions in order to test the
kernel functionality, and thus we have to disable the userspace checking when installing the test policy.  Fedora
used to disable this checking anyway (except when the policy is built as a package) because it was a) slow and
b) could prevent users from installing local policy modules that would violate these assertions (but might be
necessary to fix some issue they had).

> 
>>
>>> On Mon, May 14, 2018, 7:37 PM Casey Schaufler <casey@schaufler-ca.com <mailto:casey@schaufler-ca.com>> wrote:
>>>
>>>     Has anyone had success with the SELinux test suite on Fedora 28?
>>>     I find the chcon and newrole are unhappy with the contexts used
>>>     in the suite.
>>>
>>>
>>
> 

Re: Anyone using the SELinux test suite on Fedora 28?

[Casey Schaufler]

On 5/15/2018 5:28 AM, Stephen Smalley wrote:
> On 05/14/2018 08:10 PM, Casey Schaufler wrote:
>> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>>> It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
>> Did that first thing.
>>
>> Digging down, I find that the "make -C policy load" is failing.
>>
>> make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
>> # General policy load
>> <snip>
>> I bet the reason it's doing this is obvious. Just not to me.
> Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
> That's noted in the README but used to be the default in Fedora (changed in 28).

Yup, that did the trick. Thank you.

I suggest that you move the note about expand-check up from "Running the Tests"
into "Userland and Base Policy". With the Fedora 28 change it's much more likely
to be an issue.

Re: Anyone using the SELinux test suite on Fedora 28?

[Paul Moore]

On Tue, May 15, 2018 at 10:50 AM, Casey Schaufler
<casey@schaufler-ca.com> wrote:
> On 5/15/2018 5:28 AM, Stephen Smalley wrote:
>> On 05/14/2018 08:10 PM, Casey Schaufler wrote:
>>> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>>>> It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
>>> Did that first thing.
>>>
>>> Digging down, I find that the "make -C policy load" is failing.
>>>
>>> make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
>>> # General policy load
>>> <snip>
>>> I bet the reason it's doing this is obvious. Just not to me.
>> Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
>> That's noted in the README but used to be the default in Fedora (changed in 28).
>
> Yup, that did the trick. Thank you.
>
> I suggest that you move the note about expand-check up from "Running the Tests"
> into "Userland and Base Policy". With the Fedora 28 change it's much more likely
> to be an issue.

Let's just add a check to the Makefile before we attempt to load the
policy.  People are more likely to notice a meaningful error message
than they are instructions in the docs.  Check the patch I just sent
to the list.

-- 
paul moore
www.paul-moore.com

Re: Anyone using the SELinux test suite on Fedora 28?

[Casey Schaufler]

On 5/15/2018 2:08 PM, Paul Moore wrote:
> On Tue, May 15, 2018 at 10:50 AM, Casey Schaufler
> <casey@schaufler-ca.com> wrote:
>> On 5/15/2018 5:28 AM, Stephen Smalley wrote:
>>> On 05/14/2018 08:10 PM, Casey Schaufler wrote:
>>>> On 5/14/2018 4:48 PM, Stephen Smalley wrote:
>>>>> It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
>>>> Did that first thing.
>>>>
>>>> Digging down, I find that the "make -C policy load" is failing.
>>>>
>>>> make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
>>>> # General policy load
>>>> <snip>
>>>> I bet the reason it's doing this is obvious. Just not to me.
>>> Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
>>> That's noted in the README but used to be the default in Fedora (changed in 28).
>> Yup, that did the trick. Thank you.
>>
>> I suggest that you move the note about expand-check up from "Running the Tests"
>> into "Userland and Base Policy". With the Fedora 28 change it's much more likely
>> to be an issue.
> Let's just add a check to the Makefile before we attempt to load the
> policy.  People are more likely to notice a meaningful error message
> than they are instructions in the docs.  Check the patch I just sent
> to the list.

I think that will do just fine. Thank you.