search

SELinuxProject / selinux-testsuite

This is the upstream SELinux testsuite which is designed as a basic set of regression tests for the SELinux kernel functionality.
GNU General Public License v2.0
54 stars 43 forks source link

BUG: inet_socket test failures on RHEL-6.x based systems #37

Closed pcmoore closed 6 years ago

pcmoore commented 6 years ago

See the upstream mailing list for details, but basically the change to tighten the inet_socket test checks results in at least two inet_socket test failures on current RHEL-6.x systems.

The commit which triggers the problem:

commit c618ab669b0c580bb3fa000b168d7d4b5a00c5ee (github/inetsocket)
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Thu Oct 26 09:29:37 2017 -0400

selinux-testsuite: inet_socket: tighten checking

As demonstrated by https://github.com/SELinuxProject/selinux-kernel/issues/36,
the inet_socket tests can "pass" for the wrong reasons.  Change the
client program to use different exit codes for different failures,
and change the test script to check the expected exit code for all tests.
With this change, getting an unexpected peer label causes a test failure
rather than being treated identically to a permission denial.

NB This could make the tests more fragile, e.g. it appears that we encounter
permission denial failures at different points for different tests, so we
may need to relax the checking somewhat based on testing a wider range of
older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The upstream mailing list thread which discusses the RHEL-6.x issue:

pcmoore commented 6 years ago

Quick update: the following patch appears to solve the problem on RHEL-6.x based systems and doesn't adversely affect RHEL-7.x or Fedora systems:

diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index c25900b..428d28e 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -33,6 +33,16 @@ corenet_udp_bind_all_nodes(test_inet_server_t)
 corenet_inout_generic_if(test_inet_server_t)
 corenet_inout_generic_node(test_inet_server_t)

+# We need to ensure that the test domain is MCS constrained.
+## newer systems, e.g. Fedora and RHEL >= 7.x
+ifdef(`mcs_constrained', `
+       mcs_constrained(test_inet_server_t)
+')
+## older systems, e.g. RHEL == 6.x
+ifdef(`mcs_untrusted_proc', `
+       mcs_untrusted_proc(test_inet_server_t)
+')
+
pcmoore commented 6 years ago

This should be fixed in commit 3aaf34905955524150b2eb555148a9ff15602b30.