Discussion:
Anyone using the SELinux test suite on Fedora 28?
Casey Schaufler
2018-05-14 23:36:09 UTC
Permalink
Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.
Stephen Smalley
2018-05-14 23:48:18 UTC
Permalink
It's been running fine for me. Maybe you just need to clean your tree and
do a fresh make test.
Post by Casey Schaufler
Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.
Casey Schaufler
2018-05-15 00:10:33 UTC
Permalink
It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
Did that first thing.

Digging down, I find that the "make -C policy load" is failing.

make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
/usr/sbin/semodule -i test_policy/test_policy.pp
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
(neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2565
(allow test_create_no_t unconfined_t (process (sigchld)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2569
(allow test_create_no_t self (process (transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2606
(allow test_create_no_t self (process (setexec)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2634
(allow test_create_d sysadm_t (process (sigchld)))

I bet the reason it's doing this is obvious. Just not to me.
Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.
Stephen Smalley
2018-05-15 12:28:18 UTC
Permalink
Post by Casey Schaufler
It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
Did that first thing.
Digging down, I find that the "make -C policy load" is failing.
make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
/usr/sbin/semodule -i test_policy/test_policy.pp
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
(neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2565
(allow test_create_no_t unconfined_t (process (sigchld)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2569
(allow test_create_no_t self (process (transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2606
(allow test_create_no_t self (process (setexec)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2634
(allow test_create_d sysadm_t (process (sigchld)))
I bet the reason it's doing this is obvious. Just not to me.
Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
That's noted in the README but used to be the default in Fedora (changed in 28).
Post by Casey Schaufler
Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.
Stephen Smalley
2018-05-15 12:57:42 UTC
Permalink
Post by Stephen Smalley
Post by Casey Schaufler
It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
Did that first thing.
Digging down, I find that the "make -C policy load" is failing.
make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
/usr/sbin/semodule -i test_policy/test_policy.pp
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703
(neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2565
(allow test_create_no_t unconfined_t (process (sigchld)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2569
(allow test_create_no_t self (process (transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2606
(allow test_create_no_t self (process (setexec)))
<root>
allow at /var/lib/selinux/targeted/tmp/modules/400/test_policy/cil:2634
(allow test_create_d sysadm_t (process (sigchld)))
I bet the reason it's doing this is obvious. Just not to me.
Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
That's noted in the README but used to be the default in Fedora (changed in 28).
Also, just FYI, expand-check controls whether neverallow and type bounds checking is performed when the policy
is linked/expanded. The test policy necessarily violates some of these policy assertions in order to test the
kernel functionality, and thus we have to disable the userspace checking when installing the test policy. Fedora
used to disable this checking anyway (except when the policy is built as a package) because it was a) slow and
b) could prevent users from installing local policy modules that would violate these assertions (but might be
necessary to fix some issue they had).
Post by Stephen Smalley
Post by Casey Schaufler
Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.
Casey Schaufler
2018-05-15 14:50:04 UTC
Permalink
Post by Stephen Smalley
Post by Casey Schaufler
It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
Did that first thing.
Digging down, I find that the "make -C policy load" is failing.
make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
<snip>
I bet the reason it's doing this is obvious. Just not to me.
Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
That's noted in the README but used to be the default in Fedora (changed in 28).
Yup, that did the trick. Thank you.

I suggest that you move the note about expand-check up from "Running the Tests"
into "Userland and Base Policy". With the Fedora 28 change it's much more likely
to be an issue.
Paul Moore
2018-05-15 21:08:17 UTC
Permalink
On Tue, May 15, 2018 at 10:50 AM, Casey Schaufler
Post by Casey Schaufler
Post by Stephen Smalley
Post by Casey Schaufler
It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
Did that first thing.
Digging down, I find that the "make -C policy load" is failing.
make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
<snip>
I bet the reason it's doing this is obvious. Just not to me.
Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
That's noted in the README but used to be the default in Fedora (changed in 28).
Yup, that did the trick. Thank you.
I suggest that you move the note about expand-check up from "Running the Tests"
into "Userland and Base Policy". With the Fedora 28 change it's much more likely
to be an issue.
Let's just add a check to the Makefile before we attempt to load the
policy. People are more likely to notice a meaningful error message
than they are instructions in the docs. Check the patch I just sent
to the list.
--
paul moore
www.paul-moore.com
Casey Schaufler
2018-05-16 15:34:02 UTC
Permalink
Post by Paul Moore
On Tue, May 15, 2018 at 10:50 AM, Casey Schaufler
Post by Casey Schaufler
Post by Stephen Smalley
Post by Casey Schaufler
It's been running fine for me. Maybe you just need to clean your tree and do a fresh make test.
Did that first thing.
Digging down, I find that the "make -C policy load" is failing.
make[1]: Leaving directory '/home/cschaufler/SELinux/selinux-testsuite/policy/test_policy'
# General policy load
<snip>
I bet the reason it's doing this is obvious. Just not to me.
Add or uncomment expand-check = 0 in /etc/selinux/semanage.conf.
That's noted in the README but used to be the default in Fedora (changed in 28).
Yup, that did the trick. Thank you.
I suggest that you move the note about expand-check up from "Running the Tests"
into "Userland and Base Policy". With the Fedora 28 change it's much more likely
to be an issue.
Let's just add a check to the Makefile before we attempt to load the
policy. People are more likely to notice a meaningful error message
than they are instructions in the docs. Check the patch I just sent
to the list.
I think that will do just fine. Thank you.

Paul Moore
2018-05-15 01:39:33 UTC
Permalink
I run it several times a week on Rawhide, it's running fine for me.

FWIW, usually when people are having a problem running the
selinux-testsuite it is because they didn't follow the README very
closely. I'm not saying that's the case here, but it couldn't hurt to
give it a second look ...

On Mon, May 14, 2018 at 7:48 PM, Stephen Smalley
It's been running fine for me. Maybe you just need to clean your tree and do
a fresh make test.
Post by Casey Schaufler
Has anyone had success with the SELinux test suite on Fedora 28?
I find the chcon and newrole are unhappy with the contexts used
in the suite.
--
paul moore
www.paul-moore.com
Loading...