Closed pcmoore closed 6 years ago
Quick update: the following patch appears to solve the problem on RHEL-6.x based systems and doesn't adversely affect RHEL-7.x or Fedora systems:
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index c25900b..428d28e 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -33,6 +33,16 @@ corenet_udp_bind_all_nodes(test_inet_server_t)
corenet_inout_generic_if(test_inet_server_t)
corenet_inout_generic_node(test_inet_server_t)
+# We need to ensure that the test domain is MCS constrained.
+## newer systems, e.g. Fedora and RHEL >= 7.x
+ifdef(`mcs_constrained', `
+ mcs_constrained(test_inet_server_t)
+')
+## older systems, e.g. RHEL == 6.x
+ifdef(`mcs_untrusted_proc', `
+ mcs_untrusted_proc(test_inet_server_t)
+')
+
This should be fixed in commit 3aaf34905955524150b2eb555148a9ff15602b30.
See the upstream mailing list for details, but basically the change to tighten the inet_socket test checks results in at least two inet_socket test failures on current RHEL-6.x systems.
The commit which triggers the problem:
The upstream mailing list thread which discusses the RHEL-6.x issue: