selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH testsuite] tests/sysctl: use vm.swappiness instead of kernel.modprobe
@ 2021-01-13 12:26 Ondrej Mosnacek
  2021-01-18 13:44 ` Ondrej Mosnacek
  0 siblings, 1 reply; 2+ messages in thread
From: Ondrej Mosnacek @ 2021-01-13 12:26 UTC (permalink / raw)
  To: selinux

/proc/sys/kernel/modprobe is labeled as usermode_helper_t on Fedora and
all domains are allowed to read that type now [1] so that crash handling
can proceed without denials.

While the underlying issue might be a kernel bug (I suspect these files
should be read under kernel credentials, not the crashing process),
let's use a different sysctl for testing for now.

Since vm.swappiness will be more strict about what values can be set,
rework the test a bit so that it works correctly regardless of the
original value and restores the original setting at the end.

[1] https://github.com/fedora-selinux/selinux-policy/pull/528

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 tests/sysctl/test | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/tests/sysctl/test b/tests/sysctl/test
index a726e96..d6f8c0f 100755
--- a/tests/sysctl/test
+++ b/tests/sysctl/test
@@ -3,21 +3,30 @@
 use Test;
 BEGIN { plan tests => 4 }
 
-$sysctl = "kernel.modprobe";
+$sysctl = "vm.swappiness";
+$val1   = "20";
+$val2   = "21";
+$val3   = "22";
 $oldval = `/sbin/sysctl -n $sysctl`;
 
+# set to a known value
+system "/sbin/sysctl -w $sysctl=$val1";
+
 $result = system "runcon -t test_sysctl_t -- /sbin/sysctl -n $sysctl 2>&1";
 ok( $result, 0 );
 
 $result =
-  system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$oldval 2>&1";
+  system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$val2 2>&1";
 ok( $result, 0 );
 
 $result = system "runcon -t test_nosysctl_t -- /sbin/sysctl -n $sysctl 2>&1";
 ok($result);
 
 $result =
-  system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=foobar 2>&1";
+  system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=$val3 2>&1";
 ok($result);
 
+# restore original value
+system "/sbin/sysctl -w $sysctl=$oldval";
+
 exit;
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH testsuite] tests/sysctl: use vm.swappiness instead of kernel.modprobe
  2021-01-13 12:26 [PATCH testsuite] tests/sysctl: use vm.swappiness instead of kernel.modprobe Ondrej Mosnacek
@ 2021-01-18 13:44 ` Ondrej Mosnacek
  0 siblings, 0 replies; 2+ messages in thread
From: Ondrej Mosnacek @ 2021-01-18 13:44 UTC (permalink / raw)
  To: SElinux list

On Wed, Jan 13, 2021 at 1:26 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> /proc/sys/kernel/modprobe is labeled as usermode_helper_t on Fedora and
> all domains are allowed to read that type now [1] so that crash handling
> can proceed without denials.
>
> While the underlying issue might be a kernel bug (I suspect these files
> should be read under kernel credentials, not the crashing process),
> let's use a different sysctl for testing for now.
>
> Since vm.swappiness will be more strict about what values can be set,
> rework the test a bit so that it works correctly regardless of the
> original value and restores the original setting at the end.
>
> [1] https://github.com/fedora-selinux/selinux-policy/pull/528
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>  tests/sysctl/test | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)

Now applied:
https://github.com/SELinuxProject/selinux-testsuite/commit/24bb5c0090710767ff187f1682e5bf355166caa3

>
> diff --git a/tests/sysctl/test b/tests/sysctl/test
> index a726e96..d6f8c0f 100755
> --- a/tests/sysctl/test
> +++ b/tests/sysctl/test
> @@ -3,21 +3,30 @@
>  use Test;
>  BEGIN { plan tests => 4 }
>
> -$sysctl = "kernel.modprobe";
> +$sysctl = "vm.swappiness";
> +$val1   = "20";
> +$val2   = "21";
> +$val3   = "22";
>  $oldval = `/sbin/sysctl -n $sysctl`;
>
> +# set to a known value
> +system "/sbin/sysctl -w $sysctl=$val1";
> +
>  $result = system "runcon -t test_sysctl_t -- /sbin/sysctl -n $sysctl 2>&1";
>  ok( $result, 0 );
>
>  $result =
> -  system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$oldval 2>&1";
> +  system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$val2 2>&1";
>  ok( $result, 0 );
>
>  $result = system "runcon -t test_nosysctl_t -- /sbin/sysctl -n $sysctl 2>&1";
>  ok($result);
>
>  $result =
> -  system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=foobar 2>&1";
> +  system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=$val3 2>&1";
>  ok($result);
>
> +# restore original value
> +system "/sbin/sysctl -w $sysctl=$oldval";
> +
>  exit;
> --
> 2.29.2
>


-- 
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-18 13:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13 12:26 [PATCH testsuite] tests/sysctl: use vm.swappiness instead of kernel.modprobe Ondrej Mosnacek
2021-01-18 13:44 ` Ondrej Mosnacek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).