-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR 'permission mmap_file_perms is not defined for class file' at token ';' on line 20841: #73
Comments
It appears that Debian removes the mmap_file_perms macro in its patches to refpolicy, likely because it is deprecated. We can switch to using mmap_exec_file_perms. However we do not yet test the testsuite on debian so there are likely other issues as well. |
Thanks stephensmalley for the help Changing mmap_file_perms macro to mmap_exec_file_perms in test_execute_no_trans.te file resolve that error but after that I got the following error: Could not change active booleans: Invalid boolean It appears from the makefile that , we have to setsebool allow_fd_use=0 for Allowing all domains to use other domains file descriptors. But there is not such selinux boolean in debian. Is there any alternative? Here is the list of all the selinux booleans I find on my system, I tried to find appropriate one but couldn't find one, if you find please let me know. |
The missing boolean is non-fatal. Only Fedora has allow_fd_use so no action is required on Debian for that. The error is the failure to resolve a typeattributeset statement in the test policy. I have set up a Debian VM to reproduce and am looking into it. However I am not optimistic since it appears that Debian selinux is not in a very good state. On my system, the entire systemd --user session is left running in init_t and initrc_t, with an error from pam_selinux, so a gdm login ends up in initrc_t instead of unconfined_t. We need to first resolve labeling problems in Debian, then resolve any denials preventing going enforcing, then we can get the testsuite building and running. This will take some time. I am more inclined to target this for Debian unstable than stable since we are unlikely to be able to get major updates into stable now. |
For clarification: is your shell running in unconfined_t or initrc_t (or something else)? id -Z. Is your system enforcing or permissive? getenforce. Ultimately it will have to be enforcing to run the testsuite successfully but you don't want to switch to enforcing until you have resolved any labeling or denial problems. |
Also can you provide the package list that you installed as dependencies? We should add the Debian package names to the README. Feel free to submit a patch or you can just add them as a comment and we'll try to get around to adding them. |
my shell is running in unconfined_t domain. system is permissive mode but I also tried with enforcing mode, the error still persist. |
Here is the list of packages I installed using apt: I am not sure about libpfm4 and libpfm4-dev packages but for other packages I am sure they are the appropriate packages as I compared the fedora packages description with the packages that I installed. |
This is what I needed to get the test policy to build/load on Debian unstable: stephensmalley@7b6bc4d |
I also had to dpkg-reconfigure dash and set it to No so that bash would be used as the default shell for make and perl system; otherwise various bashisms failed. |
With those changes, I could build and run the testsuite but there are a lot of failures still. |
Working my way through the denials; will have more policy fixes. Some of them are things allowed in Fedora to all domains but not in Debian. Certain mmap tests can't succeed due to noexec mount of /dev in Debian unstable. |
Also you'll need to build and install netlabel_tools yourself; it isn't packaged for Debian yet. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959806 |
I think that may be necessary packages issue. I resolve some failures :
after this testsuite ran completely but 8 test programs failed and 116 subtests failed. |
Did you attach the wrong txt file? stress-ng-result? Anyway, I am currently working my way through the denials I see on Debian unstable and will upload fixes once I am done. |
oh sorry, I updated |
More fixes here: |
NB You must build and install netlabel_tools as noted above. |
pkg-config package is required for building netlabel_tools |
I created a new debian 10 vm and did everything from start as directed in updated readme. Here is the snapshot of updated testsuite result: inet_socket testcases are still failing with the error: netlabelctl: error, failed to initialize the NetLabel library But most of the test cases got passed, only 3/58 test programs and 21/654 subtests failed. |
Maybe the Debian stable kernel didn't support NetLabel? I have the inet_socket tests all passing on Debian unstable. I am almost done fixing everything on unstable, will then confirm the changes don't break Fedora, and then will look at Debian stable. |
https://github.com/stephensmalley/selinux-testsuite/tree/debianfixes contains all my fixes for Debian unstable. With those changes, the testsuite passes in full on Debian unstable for me. Haven't updated the README yet for your comments above. Next up for me is to confirm that it still works on Fedora, then squash it all together and clean it up, test it on Debian stable and see whether that's even viable, then submit upstream. |
Ok, everything works still on Fedora and all of the tests except for inet_socket pass on Debian stable too, and the failures were all due to lack of CONFIG_NETLABEL=y in the Debian stable kernel. So I think it is good to go and I'll just do some cleanup and submit. |
Update the testsuite policy and code so that it builds and runs on Debian unstable and stable successfully (if one has already enabled SELinux on Debian). Provide the necessary dependencies and instructions in the README. The labeled networking tests relies on specific mlsconstrain statements that exist in Fedora policy but not in Debian so add them to the test policy as a CIL module; on Fedora this is redundant but harmless. The SCTP tests also assumed that netlabel_peer_t was already marked mcs_constrained() in the base policy which doesn't appear to be true in Debian, so mark it so in the test policy. The filesystem tests assume the defaultrange rules in the Fedora policy for file MLS/MCS label inheritance, so add those rules as a CIL module to the test policy to get the expected results. Again, on Fedora this is a no-op. Debian has no allow_domain_fd_use boolean so conditionalize the setting of it. The real boolean name in policy in Fedora is domain_fd_use; allow_domain_fd_use was an old name that was being mapped by userspace. corenet_tcp/udp_sendrecv_all_ports() is an obsolete interface that no longer exists in refpolicy. mmap_file_perms is an obsolete macro that is deprecated in refpolicy and removed in Debian policy; switch to mmap_exec_file_perms. Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Convert the network test policies from using bind/connect_generic_port() to using bind/connect_all_unreserved_ports(), since the actual port being used falls in the unreserved port range and the _generic_port() interfaces do not allow access in Debian and likely refpolicy. Update the overlayfs policy to allow the test_overlay_mounter_t domain to read a shell-created temporary file that ends up being labeled user_tmp_t in Debian; this occurs during setup-overlayfs and otherwise breaks mounting. Replace the reference to unconfined_devpts_t which does not exist in Debian policy with the more general ptynode attribute. Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. Debian unstable is mounting devtmpfs as noexec which breaks testing of mmap/mprotect PROT_EXEC /dev/zero, so skip those tests if so mounted. Fixes: SELinuxProject#73 Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Update the testsuite policy and code so that it builds and runs on Debian unstable and stable successfully (if one has already enabled SELinux on Debian). Provide the necessary dependencies and instructions in the README. The labeled networking tests relies on specific mlsconstrain statements that exist in Fedora policy but not in Debian so add them to the test policy as a CIL module; on Fedora this is redundant but harmless. The SCTP tests also assumed that netlabel_peer_t was already marked mcs_constrained() in the base policy which doesn't appear to be true in Debian, so mark it so in the test policy. The filesystem tests assume the defaultrange rules in the Fedora policy for file MLS/MCS label inheritance, so add those rules as a CIL module to the test policy to get the expected results. Again, on Fedora this is a no-op. Debian has no allow_domain_fd_use boolean so conditionalize the setting of it. The real boolean name in policy in Fedora is domain_fd_use; allow_domain_fd_use was an old name that was being mapped by userspace. corenet_tcp/udp_sendrecv_all_ports() is an obsolete interface that no longer exists in refpolicy. mmap_file_perms is an obsolete macro that is deprecated in refpolicy and removed in Debian policy; switch to mmap_exec_file_perms. Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Convert the network test policies from using bind/connect_generic_port() to using bind/connect_all_unreserved_ports(), since the actual port being used falls in the unreserved port range and the _generic_port() interfaces do not allow access in Debian and likely refpolicy. Update the overlayfs policy to allow the test_overlay_mounter_t domain to read a shell-created temporary file that ends up being labeled user_tmp_t in Debian; this occurs during setup-overlayfs and otherwise breaks mounting. Replace the reference to unconfined_devpts_t which does not exist in Debian policy with the more general ptynode attribute. Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. Debian unstable is mounting devtmpfs as noexec which breaks testing of mmap/mprotect PROT_EXEC /dev/zero, so skip those tests if so mounted. Fixes: SELinuxProject#73 Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Update the testsuite policy and code so that it builds and runs on Debian unstable and stable successfully (if one has already enabled SELinux on Debian). Provide the necessary dependencies and instructions in the README. The labeled networking tests relies on specific mlsconstrain statements that exist in Fedora policy but not in Debian so add them to the test policy as a CIL module; on Fedora this is redundant but harmless. The SCTP tests also assumed that netlabel_peer_t was already marked mcs_constrained() in the base policy which doesn't appear to be true in Debian, so mark it so in the test policy. The filesystem tests assume the defaultrange rules in the Fedora policy for file MLS/MCS label inheritance, so add those rules as a CIL module to the test policy to get the expected results. Again, on Fedora this is a no-op. Debian has no allow_domain_fd_use boolean so conditionalize the setting of it. The real boolean name in policy in Fedora is domain_fd_use; allow_domain_fd_use was an old name that was being mapped by userspace. corenet_tcp/udp_sendrecv_all_ports() is an obsolete interface that no longer exists in refpolicy. mmap_file_perms is an obsolete macro that is deprecated in refpolicy and removed in Debian policy; switch to mmap_exec_file_perms. Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Convert the network test policies from using bind/connect_generic_port() to using bind/connect_all_unreserved_ports(), since the actual port being used falls in the unreserved port range and the _generic_port() interfaces do not allow access in Debian and likely refpolicy. Update the overlayfs policy to allow the test_overlay_mounter_t domain to read a shell-created temporary file that ends up being labeled user_tmp_t in Debian; this occurs during setup-overlayfs and otherwise breaks mounting. Replace the reference to unconfined_devpts_t which does not exist in Debian policy with the more general ptynode attribute. Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. Debian unstable is mounting devtmpfs as noexec which breaks testing of mmap/mprotect PROT_EXEC /dev/zero, so skip those tests if so mounted. Fixes: SELinuxProject#73 Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
It's silly question but not able to edit kernel config file. make oldconfig or make menuconfig not working, end up with this error: /usr/src/linux-headers-4.19.0-8-common/scripts/basic/Makefile: No such file or directory, even though I have all the dependency packages installed. anyway, I will let you know, when I am done. |
Yes, except inet_socket test cases all test cases got passed. |
As I've never built a kernel on Debian I can't help with that per se, although when I build kernels I just clone one of the public git trees from git.kernel.org and build it using its own Makefiles and instructions, not via a package. However, this might be helpful although I haven't tried it: |
I did not build my own kernel on Debian. On Debian stable, everything passed except for the netlabel-dependent tests in inet_socket, and I confirmed that CONFIG_NETLABEL=n in /boot/config- |
Update the testsuite policy and code so that it builds and runs on Debian unstable and stable successfully (if one has already enabled SELinux on Debian). Provide the necessary dependencies and instructions in the README. The labeled networking tests rely on specific mlsconstrain statements that exist in Fedora policy but not in Debian so add them to the test policy as a CIL module; on Fedora this is redundant but harmless. The SCTP tests also assumed that netlabel_peer_t was already marked mcs_constrained() in the base policy which doesn't appear to be true in Debian, so mark it so in the test policy. The filesystem tests assume the defaultrange rules in the Fedora policy for file MLS/MCS label inheritance, so add those rules as a CIL module to the test policy to get the expected results. Again, on Fedora this is a no-op. Debian has no allow_domain_fd_use boolean so conditionalize the setting of it. The real boolean name in policy in Fedora is domain_fd_use; allow_domain_fd_use was an old name that was being mapped by userspace. corenet_tcp/udp_sendrecv_all_ports() is an obsolete interface that no longer exists in refpolicy. mmap_file_perms is an obsolete macro that is deprecated in refpolicy and removed in Debian policy; switch to mmap_exec_file_perms. Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Convert the network test policies from using bind/connect_generic_port() to using bind/connect_all_unreserved_ports(), since the actual port being used falls in the unreserved port range and the _generic_port() interfaces do not allow access in Debian and likely refpolicy. Update the overlayfs policy to allow the test_overlay_mounter_t domain to read a shell-created temporary file that ends up being labeled user_tmp_t in Debian; this occurs during setup-overlayfs and otherwise breaks mounting. Replace the reference to unconfined_devpts_t which does not exist in Debian policy with the more general ptynode attribute. Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. Debian unstable is mounting devtmpfs as noexec which breaks testing of mmap/mprotect PROT_EXEC /dev/zero, so skip those tests if so mounted. Fixes: SELinuxProject#73 Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Update the testsuite policy and code so that it builds and runs on Debian unstable and stable successfully (if one has already enabled SELinux on Debian). Provide the necessary dependencies and instructions in the README. The labeled networking tests rely on specific mlsconstrain statements that exist in Fedora policy but not in Debian so add them to the test policy as a CIL module; on Fedora this is redundant but harmless. The SCTP tests also assumed that netlabel_peer_t was already marked mcs_constrained() in the base policy which doesn't appear to be true in Debian, so mark it so in the test policy. The filesystem tests assume the defaultrange rules in the Fedora policy for file MLS/MCS label inheritance, so add those rules as a CIL module to the test policy to get the expected results. Again, on Fedora this is a no-op. Debian has no allow_domain_fd_use boolean so conditionalize the setting of it. The real boolean name in policy in Fedora is domain_fd_use; allow_domain_fd_use was an old name that was being mapped by userspace. corenet_tcp/udp_sendrecv_all_ports() is an obsolete interface that no longer exists in refpolicy. mmap_file_perms is an obsolete macro that is deprecated in refpolicy and removed in Debian policy; switch to mmap_exec_file_perms. Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Convert the network test policies from using bind/connect_generic_port() to using bind/connect_all_unreserved_ports(), since the actual port being used falls in the unreserved port range and the _generic_port() interfaces do not allow access in Debian and likely refpolicy. Update the overlayfs policy to allow the test_overlay_mounter_t domain to read a shell-created temporary file that ends up being labeled user_tmp_t in Debian; this occurs during setup-overlayfs and otherwise breaks mounting. Replace the reference to unconfined_devpts_t which does not exist in Debian policy with the more general ptynode attribute. Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. Debian unstable is mounting devtmpfs as noexec which breaks testing of mmap/mprotect PROT_EXEC /dev/zero, so skip those tests if so mounted. Fixes: SELinuxProject#73 Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Stephen In Gnome desktop mode, after setting setenforce = 1, the system crashes. It is happening before loading the test policy. |
Yes I also built kernel 4.19.98 on debian with updated kernel config. The testsuite is working fine, all test cases got passed. Here is the snapshot: |
also crashing after loading the policy and then setting setenforce 1 in gnome mode. |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874191 |
I though you said however that your shell was running in unconfined_t. Not sure how that it is possible if using gdm and selinux-policy-default; I get initrc_t as in the bug above. |
Yes you are right terminal open in context system_u:system_r:initrc_t:s0. I forgot to check earlier. |
Ok. We really shouldn't clutter this issue with Debian selinux policy or userspace bug discussion; this one is just for selinux-testsuite debian support, which I believe will be resolved when the final version of my patch is merged. Take discussion of Debian selinux policy/userspace problems to the Debian selinux maintainers and bug system, or to the upstream selinux mailing list if some things are not truly Debian specific. |
Update the testsuite policy and code so that it builds and runs on Debian unstable and stable successfully (if one has already enabled SELinux on Debian). Provide the necessary dependencies and instructions in the README. The labeled networking tests rely on specific mlsconstrain statements that exist in Fedora policy but not in Debian so add them to the test policy as a CIL module; on Fedora this is redundant but harmless. The SCTP tests also assumed that netlabel_peer_t was already marked mcs_constrained() in the base policy which doesn't appear to be true in Debian, so mark it so in the test policy. The filesystem tests assume the defaultrange rules in the Fedora policy for file MLS/MCS label inheritance, so add those rules as a CIL module to the test policy to get the expected results. Again, on Fedora this is a no-op. Debian has no allow_domain_fd_use boolean so conditionalize the setting of it. The real boolean name in policy in Fedora is domain_fd_use; allow_domain_fd_use was an old name that was being mapped by userspace. corenet_tcp/udp_sendrecv_all_ports() is an obsolete interface that no longer exists in refpolicy. mmap_file_perms is an obsolete macro that is deprecated in refpolicy and removed in Debian policy; switch to mmap_exec_file_perms. Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Convert the network test policies from using bind/connect_generic_port() to using bind/connect_all_unreserved_ports(), since the actual port being used falls in the unreserved port range and the _generic_port() interfaces do not allow access in Debian and likely refpolicy. Update the overlayfs policy to allow the test_overlay_mounter_t domain to read a shell-created temporary file that ends up being labeled user_tmp_t in Debian; this occurs during setup-overlayfs and otherwise breaks mounting. Replace the reference to unconfined_devpts_t which does not exist in Debian policy with the more general ptynode attribute. Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. Debian unstable is mounting devtmpfs as noexec which breaks testing of mmap/mprotect PROT_EXEC /dev/zero, so skip those tests if so mounted. Fixes: SELinuxProject#73 Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Fixed upstream as of 22a6af1 |
I was trying the selinux-testsuite on my debian buster vm.
As per the instructions I install all the dependencies but after running the command "make -C policy load" I got the following error:
test_policy.te:498:ERROR 'permission mmap_file_perms is not defined for class file' at token ';' on line 20841: allow test_execute_notrans_t test_execute_notrans_allowed_t:file { { getattr open map read execute ioctl } ioctl lock execute_no_trans };
here is the snapshot:
My kernel version : 4.19.0.8-amd64
The text was updated successfully, but these errors were encountered: