Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: inet_socket test failures on RHEL-6.x based systems #37

Closed
pcmoore opened this issue Jun 8, 2018 · 2 comments
Closed

BUG: inet_socket test failures on RHEL-6.x based systems #37

pcmoore opened this issue Jun 8, 2018 · 2 comments
Labels
bug priority/low

Comments

@pcmoore
Copy link
Member

pcmoore commented Jun 8, 2018

See the upstream mailing list for details, but basically the change to tighten the inet_socket test checks results in at least two inet_socket test failures on current RHEL-6.x systems.

The commit which triggers the problem:

commit c618ab669b0c580bb3fa000b168d7d4b5a00c5ee (github/inetsocket)
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Thu Oct 26 09:29:37 2017 -0400

selinux-testsuite: inet_socket: tighten checking

As demonstrated by https://github.com/SELinuxProject/selinux-kernel/issues/36,
the inet_socket tests can "pass" for the wrong reasons.  Change the
client program to use different exit codes for different failures,
and change the test script to check the expected exit code for all tests.
With this change, getting an unexpected peer label causes a test failure
rather than being treated identically to a permission denial.

NB This could make the tests more fragile, e.g. it appears that we encounter
permission denial failures at different points for different tests, so we
may need to relax the checking somewhat based on testing a wider range of
older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The upstream mailing list thread which discusses the RHEL-6.x issue:
@pcmoore
Copy link
Member Author

pcmoore commented Jun 11, 2018

Quick update: the following patch appears to solve the problem on RHEL-6.x based systems and doesn't adversely affect RHEL-7.x or Fedora systems:

diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index c25900b..428d28e 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -33,6 +33,16 @@ corenet_udp_bind_all_nodes(test_inet_server_t)
 corenet_inout_generic_if(test_inet_server_t)
 corenet_inout_generic_node(test_inet_server_t)
 
+# We need to ensure that the test domain is MCS constrained.
+## newer systems, e.g. Fedora and RHEL >= 7.x
+ifdef(`mcs_constrained', `
+       mcs_constrained(test_inet_server_t)
+')
+## older systems, e.g. RHEL == 6.x
+ifdef(`mcs_untrusted_proc', `
+       mcs_untrusted_proc(test_inet_server_t)
+')
+

@pcmoore
Copy link
Member Author

pcmoore commented Jun 11, 2018

This should be fixed in commit 3aaf349.

@pcmoore pcmoore closed this as completed Jun 11, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority/low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pcmoore