Linux
SELinux 回歸測試失敗
我從以下網址複製了 selinux-testsuite 回歸測試:https ://github.com/SELinuxProject/selinux-testsuite
我在 CentOS Linux 版本 7.6.1810 (Core) VM 中執行測試。我不認為這是相關的。
在我安裝臨時測試策略之前,SELinux 正在使用目標策略執行:
make -C policy load
sestatus 說
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
我相信我已按照說明準確執行測試套件。但是,當我執行它時,我看到一個失敗:
[snipped OK messages] bounds/test ................. ok nnp_nosuid/test ............. ok mmap/test ................... 1/47 # Failed test 27 in mmap/test at line 143 # mmap/test line 143 is: ok($result); mmap/test ................... Failed 1/47 subtests unix_socket/test ............ ok inet_socket/test ............ ok [more snipped OK messages] Test Summary Report ------------------- mmap/test (Wstat: 0 Tests: 47 Failed: 1) Failed test: 27 Files=51, Tests=520, 35 wallclock secs ( 0.11 usr 0.04 sys + 0.77 cusr 0.94 csys = 1.86 CPU) Result: FAIL Failed 1/51 test programs. 1/520 subtests failed.
我將有問題的測試從 mmap 測試組中隔離到:
#!/bin/bash basedir=$(pwd)/tests/mmap if [ ! -d $basedir ]; then printf "Error: missing basedir: $basedir\n" exit 1 fi # Clean up from prior runs. rm -f $basedir/temp_file # Create temporary file. dd if=/dev/zero of=$basedir/temp_file count=8 2>&1 > /dev/null printf "\ncreate: OK\n" chcon -t test_mmap_file_t $basedir/temp_file printf "\nchcon: OK\n" if [ ! -f $basedir/mmap_file_shared ]; then printf "Error - missing executable: $basedir/mmap_file_shared\n" exit 1 fi if [ ! -f $basedir/temp_file ]; then printf "Error - missing temp file: $basedir/temp_file\n" exit 1 fi /bin/runcon -t test_no_map_t -- $basedir/mmap_file_shared $basedir/temp_file
在 /var/log/audit/audit.log 中生成 AVC 消息:
type=AVC msg=audit(1556563573.950:2466): avc: denied { search } for pid=16708 comm="mmap_file_share" name="vagrant" dev="dm-0" ino=81922 scontext=unconfined_u:unconfined_r:test_no_map_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
我不完全確定這個 AVC 是否是由測試套件打算的(作為負面測試案例)。但我想了解這種失敗。
為了結束這個循環,selinux 郵件列表的 Ondrej Mosnacek 提供了答案:
Quoth Ondrej:
RHEL 和 CentOS 7.6 預設將 domain_can_mmap_files SELinux 布爾值設置為“on” $$ 1 $$,這基本上意味著不檢查地圖權限,這在邏輯上會導致檢查地圖權限在測試策略不允許時被拒絕的測試失敗。在 CentOS/RHEL 7.6 上執行測試套件時,您需要在測試執行期間關閉 domain_can_mmap_files 布爾值。
為了解決它,我做了:
# Get the original value of the bool export OLD_MMAP_BOOL=$(getsebool domain_can_mmap_files | awk '{ print $3 }') # Disable it sudo setsebool domain_can_mmap_files off # Run the test suite make -C tests test # Restore the previous state sudo OLD_MMAP_BOOL=$OLD_MMAP_BOOL setsebool domain_can_mmap_files $OLD_MMAP_BOOL