Re: Possible regression test failure?

From: Dan Noland <dan@starlab.io>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: "selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: Re: Possible regression test failure?
Date: Mon, 6 May 2019 17:14:59 +0000	[thread overview]
Message-ID: <20190506171456.GA31691@starlab.io> (raw)
In-Reply-To: <CAFqZXNt0abLcRxbOVdvybZ4fntN95zZyce4XK0z0tLftW19Tmw@mail.gmail.com>

The 05/04/2019 20:00, Ondrej Mosnacek wrote:
> Hi Dan,
> 
> On Sat, May 4, 2019 at 5:42 AM Dan Noland <dan@starlab.io> wrote:
> > - Hello -
> >
> > I am running a CentOS (7.6.1810 Core) base system with a 4.19.0-x
> > kernel. I have a fresh clone of the selinux-testsuite from
> > github. Before invoking "make -C policy load" I am running only the
> > targeted policy in the enforcing mode. I am consistently seeing a
> > single failure in the mmap regression tests:
> >
> > not ok 27
> > # Failed test 27 in ./mmap/test at line 143
> > #  ./mmap/test line 143 is:     ok($result);
> >

> >
> > Any wisdom on how I should understand and address this failure would
> > be gratefully received.
> 
> RHEL (and likely also CentOS) 7.6 has the domain_can_mmap_files
> SELinux boolean set to "on" by default [1], which basically means that
> map permissions are not checked, which logically leads to the failure
> of the test that checks that map permission is denied when it was not
> allowed by the test policy. When running the testsuite on CentOS/RHEL
> 7.6, you need to turn off the domain_can_mmap_files boolean during
> test execution:
> 
> # setsebool domain_can_mmap_files off
> (run the testsuite)
> # setsebool domain_can_mmap_files on
> 
> [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/7.6_release_notes/index#BZ1460322
> 

- Ondrej -

That was exactly the problem. Thank you.

-- 
TY,
Dan Noland