ERROR 'permission mmap_file_perms is not defined for class file' at token ';' on line 20841:

[rkroshan]

I was trying the selinux-testsuite on my debian buster vm.

As per the instructions I install all the dependencies but after running the command "make -C policy load" I got the following error:

test_policy.te:498:ERROR 'permission mmap_file_perms is not defined for class file' at token ';' on line 20841: allow test_execute_notrans_t test_execute_notrans_allowed_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans };

here is the snapshot:

My kernel version : 4.19.0.8-amd64

[stephensmalley]

It appears that Debian removes the mmap_file_perms macro in its patches to refpolicy, likely because it is deprecated. We can switch to using mmap_exec_file_perms. However we do not yet test the testsuite on debian so there are likely other issues as well.

[rkroshan]

Thanks stephensmalley for the help

Changing mmap_file_perms macro to mmap_exec_file_perms in test_execute_no_trans.te file resolve that error but after that I got the following error:

Could not change active booleans: Invalid boolean

here is the snapshot:

It appears from the makefile that , we have to setsebool allow_fd_use=0 for Allowing all domains to use other domains file descriptors. But there is not such selinux boolean in debian. Is there any alternative?

Here is the list of all the selinux booleans I find on my system, I tried to find appropriate one but couldn't find one, if you find please let me know. selinux-booleans-debian.txt

[stephensmalley]

The missing boolean is non-fatal. Only Fedora has allow_fd_use so no action is required on Debian for that. The error is the failure to resolve a typeattributeset statement in the test policy. I have set up a Debian VM to reproduce and am looking into it. However I am not optimistic since it appears that Debian selinux is not in a very good state. On my system, the entire systemd --user session is left running in init_t and initrc_t, with an error from pam_selinux, so a gdm login ends up in initrc_t instead of unconfined_t. We need to first resolve labeling problems in Debian, then resolve any denials preventing going enforcing, then we can get the testsuite building and running. This will take some time. I am more inclined to target this for Debian unstable than stable since we are unlikely to be able to get major updates into stable now.

[stephensmalley]

For clarification: is your shell running in unconfined_t or initrc_t (or something else)? id -Z. Is your system enforcing or permissive? getenforce. Ultimately it will have to be enforcing to run the testsuite successfully but you don't want to switch to enforcing until you have resolved any labeling or denial problems.

[stephensmalley]

Also can you provide the package list that you installed as dependencies? We should add the Debian package names to the README. Feel free to submit a patch or you can just add them as a comment and we'll try to get around to adding them.

[rkroshan]

For clarification: is your shell running in unconfined_t or initrc_t (or something else)? id -Z. Is your system enforcing or permissive? getenforce. Ultimately it will have to be enforcing to run the testsuite successfully but you don't want to switch to enforcing until you have resolved any labeling or denial problems.

my shell is running in unconfined_t domain. system is permissive mode but I also tried with enforcing mode, the error still persist.

[rkroshan]

Also can you provide the package list that you installed as dependencies? We should add the Debian package names to the README. Feel free to submit a patch or you can just add them as a comment and we'll try to get around to adding them.

Here is the list of packages I installed using apt: selinux-basics \ selinux-policy-default \ perl \ gcc \ net-tools \ libsctp-dev \ lksctp-tools \ keyutils \ libkeyutils1 \ libkeyutils-dev \ attr \ xfsprogs \ uuid-dev \ libnl-3-dev \ libnl-utils \ libpfm4 \ libpfm4-dev \ quota

I am not sure about libpfm4 and libpfm4-dev packages but for other packages I am sure they are the appropriate packages as I compared the fedora packages description with the packages that I installed.

[stephensmalley]

This is what I needed to get the test policy to build/load on Debian unstable: https://github.com/stephensmalley/selinux-testsuite/commit/7b6bc4da5277eb80fe87ca15fc207e0d859f4702

[stephensmalley]

I also had to dpkg-reconfigure dash and set it to No so that bash would be used as the default shell for make and perl system; otherwise various bashisms failed.

[stephensmalley]

With those changes, I could build and run the testsuite but there are a lot of failures still.

[stephensmalley]

Working my way through the denials; will have more policy fixes. Some of them are things allowed in Fedora to all domains but not in Debian. Certain mmap tests can't succeed due to noexec mount of /dev in Debian unstable.

[stephensmalley]

Also you'll need to build and install netlabel_tools yourself; it isn't packaged for Debian yet. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959806

[rkroshan]

With those changes, I could build and run the testsuite but there are a lot of failures still.

I think that may be necessary packages issue.

I resolve some failures :

1. selinux.h header file not found : resolve by installing package libselinux1-dev package
2. bpf.h header file not found : resolved by installing libbfp-dev
3. xfs header files : resolved by installing xfslibs-dev package

after this testsuite ran completely but 8 test programs failed and 116 subtests failed. here is the result snapshot:

selinux-testsuite-result-debian.txt

[stephensmalley]

Did you attach the wrong txt file? stress-ng-result? Anyway, I am currently working my way through the denials I see on Debian unstable and will upload fixes once I am done.

[rkroshan]

Did you attach the wrong txt file? stress-ng-result? Anyway, I am currently working my way through the denials I see on Debian unstable and will upload fixes once I am done.

oh sorry, I updated

[stephensmalley]

More fixes here: https://github.com/stephensmalley/selinux-testsuite/commit/39bb93d6128188b9a2ffaf9fda50bfc14c9130b7

[stephensmalley]

NB You must build and install netlabel_tools as noted above. On Debian unstable with the two commits noted above I still have 5/64 test programs. 95/869 subtests failed. If/when I get all of those to pass, I'll look at Debian stable but no guarantees there.

[rkroshan]

More fixes here: stephensmalley@39bb93d

pkg-config package is required for building netlabel_tools also linux-headers-$(uname -r) inspite of linux-headers package and you haven't mention what settings to apply for dpkg-reconfigure dash in the Readme

[rkroshan]

I created a new debian 10 vm and did everything from start as directed in updated readme.

Here is the snapshot of updated testsuite result: selinux-testsuite-updated-result-debian.txt

inet_socket testcases are still failing with the error: netlabelctl: error, failed to initialize the NetLabel library

But most of the test cases got passed, only 3/58 test programs and 21/654 subtests failed.

[stephensmalley]

Maybe the Debian stable kernel didn't support NetLabel? I have the inet_socket tests all passing on Debian unstable. I am almost done fixing everything on unstable, will then confirm the changes don't break Fedora, and then will look at Debian stable.

[stephensmalley]

https://github.com/stephensmalley/selinux-testsuite/tree/debianfixes contains all my fixes for Debian unstable. With those changes, the testsuite passes in full on Debian unstable for me. Haven't updated the README yet for your comments above. Next up for me is to confirm that it still works on Fedora, then squash it all together and clean it up, test it on Debian stable and see whether that's even viable, then submit upstream.

[stephensmalley]

Ok, everything works still on Fedora and all of the tests except for inet_socket pass on Debian stable too, and the failures were all due to lack of CONFIG_NETLABEL=y in the Debian stable kernel. So I think it is good to go and I'll just do some cleanup and submit.

[rkroshan]

Ok, everything works still on Fedora and all of the tests except for inet_socket pass on Debian stable too, and the failures were all due to lack of CONFIG_NETLABEL=y in the Debian stable kernel. So I think it is good to go and I'll just do some cleanup and submit.

It's silly question but not able to edit kernel config file. make oldconfig or make menuconfig not working, end up with this error: /usr/src/linux-headers-4.19.0-8-common/scripts/basic/Makefile: No such file or directory, even though I have all the dependency packages installed.

here is the snapshot:

anyway, I will let you know, when I am done.

[rkroshan]

Ok, everything works still on Fedora and all of the tests except for inet_socket pass on Debian stable too, and the failures were all due to lack of CONFIG_NETLABEL=y in the Debian stable kernel. So I think it is good to go and I'll just do some cleanup and submit.

Yes, except inet_socket test cases all test cases got passed.

[stephensmalley]

As I've never built a kernel on Debian I can't help with that per se, although when I build kernels I just clone one of the public git trees from git.kernel.org and build it using its own Makefiles and instructions, not via a package. However, this might be helpful although I haven't tried it: https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#s-common-official

[stephensmalley]

I did not build my own kernel on Debian. On Debian stable, everything passed except for the netlabel-dependent tests in inet_socket, and I confirmed that CONFIG_NETLABEL=n in /boot/config-uname -r. On Debian unstable, all of the tests passed. That was good enough for me. When testing new kernels, I build from an upstream git repository, using an existing /boot/config-uname -r as my starting point followed by localmodconfig followed by merging with the testsuite defconfig fragment.

[stephensmalley]

Submitted https://lore.kernel.org/selinux/CAEjxPJ7GVYBTKyiQM8_XdnbXk26-Eq_cPAs1zrtK8Aj=FfZd_A@mail.gmail.com/T/#t

[rkroshan]

Stephen In Gnome desktop mode, after setting setenforce = 1, the system crashes. It is happening before loading the test policy.

[rkroshan]

I did not build my own kernel on Debian. On Debian stable, everything passed except for the netlabel-dependent tests in inet_socket, and I confirmed that CONFIG_NETLABEL=n in /boot/config-uname -r. On Debian unstable, all of the tests passed. That was good enough for me. When testing new kernels, I build from an upstream git repository, using an existing /boot/config-uname -r as my starting point followed by localmodconfig followed by merging with the testsuite defconfig fragment.

Yes I also built kernel 4.19.98 on debian with updated kernel config. The testsuite is working fine, all test cases got passed.

Here is the snapshot: selinux-testsuite-debian-test-result-updated.txt

[rkroshan]

Stephen In Gnome desktop mode, after setting setenforce = 1, the system crashes. It is happening before loading the test policy.

also crashing after loading the policy and then setting setenforce 1 in gnome mode.

[stephensmalley]

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874191 I ran the tests from a ssh shell running in unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. I likewise was unable to get gdm working; I see the same behavior as the bug cited above with processes running in initrc_t instead of unconfined_t. If I switch to sddm and kde-standard and login via KDE Plasma, my terminals are in unconfined_t and I can run the testsuite. I raised the gdm bug to the Debian SELinux maintainers attention and they are supposedly going to fix it but one of them uses KDE instead and the other seems to be using custom policy. I'd like to look into fixing Debian SELinux policy to work out of the box but am not yet sure how much effort is required there.

[stephensmalley]

I though you said however that your shell was running in unconfined_t. Not sure how that it is possible if using gdm and selinux-policy-default; I get initrc_t as in the bug above.

[rkroshan]

I though you said however that your shell was running in unconfined_t. Not sure how that it is possible if using gdm and selinux-policy-default; I get initrc_t as in the bug above.

Yes you are right terminal open in context system_u:system_r:initrc_t:s0. I forgot to check earlier.

[stephensmalley]

Ok. We really shouldn't clutter this issue with Debian selinux policy or userspace bug discussion; this one is just for selinux-testsuite debian support, which I believe will be resolved when the final version of my patch is merged. Take discussion of Debian selinux policy/userspace problems to the Debian selinux maintainers and bug system, or to the upstream selinux mailing list if some things are not truly Debian specific.

[stephensmalley]

Fixed upstream as of https://github.com/SELinuxProject/selinux-testsuite/commit/22a6af134fc6d948feb03ad958bad46fbd537d42