Closed rhatdan closed 7 years ago
@rhvgoyal PTAL
Ran new tests. I think in entrypoint tests stderr needs to be redirected.
Attempting to enter domain with bad entrypoint, should fail. runcon: ‘./container1/merged/badentrypoint’: Permission denied ok 114
Also it is complaining about running less tests than planned.
What is the status on these tests? Still see a failure on rawhide.
@stephensmalley One of the patch is yet to be merged upstream. Once that gets merged, failure on rawhide should go away.
This overlay patch where we first switch to mounter's cred before doing getattr. Otherwise getatt fails.
@stephensmalley @pcmoore I tested this PR with -rc1 kernel and these tests are now passing. Can we merge this too.
BTW, with -rc1 kernel, doing "make -C policy/ load" throws lots of backtraces and warnings about locking. It might be a kernel selinux issue.
``vm5-f24 login: [ 53.983102] ------------[ cut here ]------------
[ 53.985841] WARNING: CPU: 3 PID: 1628 at kernel/softirq.c:161 local_bh_enable_ip+0x9d/0xc0
[ 53.987111] Modules linked in: bridge stp llc xt_conntrack nfnetlink iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_security dm_thin_pool dm_persistent_data dm_bio_prison libcrc32c joydev ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel virtio_balloon parport_pc parport nfsd i2c_piix4 acpi_cpufreq auth_rpcgss nfs_acl lockd grace sunrpc virtio_console virtio_blk virtio_net qxl drm_kms_helper ttm ata_generic drm crc32c_intel serio_raw pata_acpi virtio_pci virtio_ring virtio
[ 53.994983] CPU: 3 PID: 1628 Comm: setsebool Not tainted 4.9.0-rc1 #196
[ 53.995984] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
[ 53.997433] ffffc90002623b90 ffffffff8144b0e3 0000000000000000 0000000000000000
[ 53.998633] ffffc90002623bd0 ffffffff810b3b1b 000000a181742906 0000000000000201
[ 53.999826] ffffffff81742924 ffffffff81f18640 ffff88022effa000 ffff88022f16b000
[ 54.001050] Call Trace:
[ 54.001460] [
[ 54.024341] ---------------------------------
[ 54.024999] inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage.
[ 54.025921] setsebool/1628 [HC0[0]:SC0[0]:HE1:SE1] takes:
[ 54.026745]([ 54.026988] policy_rwlock){+++?..}[ 54.027561] , at:
[ 54.027897] [
The locking problem existed in 4.9-rc0 as well, this was the locking problem I mentioned in the other thread. I'm currently working on trying to isolate the change but I have a fair number of distractions these days so progress is slow.
For that one at least, in retrospect it was a mistake to add audit_log() calls inside the write_lock_irq() in security_set_bools(). We could split that into an audit phase and the actual boolean update phase, with only the latter under write_lock_irq. Interleaving policy load isn't possible because sel_write_load() and sel_write_bool() both take and hold sel_mutex, so the policy can't change underneath security_set_bools().
All tests pass with 4.9-rc1
NM, that's not the only case triggering these stack traces, e.g. security_task_setpgid() is called while holding write_lock_irq(&tasklist_lock). So I guess we need a more general fix.
[ 74.757661] Call Trace:
[ 74.757669] [
Revert this commit and stack dumps go away. commit bc51dddf98c907b598e645ae4b277ed1295b6d5f Author: WANG Cong xiyou.wangcong@gmail.com Date: Thu Sep 1 21:53:45 2016 -0700
netns: avoid disabling irq for netns id
We never read or change netns id in hardirq context,
the only place we read netns id in softirq context
is in vxlan_xmit(). So, it should be enough to just
disable BH.
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This seems to be failing where it should not. Not sure if these is an issue in the kernel or in the test suite.
I am seeing this AVC required when trying to create a file in a directory that mounter can use but client can not, in the case where the mounter is using context=LABEL.
allow test_overlay_client_t test_overlay_mounter_files_t:dir getattr;