Linux

SELinux 回歸測試失敗

  • May 6, 2019

我從以下網址複製了 selinux-testsuite 回歸測試:https ://github.com/SELinuxProject/selinux-testsuite

我在 CentOS Linux 版本 7.6.1810 (Core) VM 中執行測試。我不認為這是相關的。

在我安裝臨時測試策略之前,SELinux 正在使用目標策略執行:

make -C policy load

sestatus 說

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

我相信我已按照說明準確執行測試套件。但是,當我執行它時,我看到一個失敗:

[snipped OK messages]

bounds/test ................. ok     
nnp_nosuid/test ............. ok     
mmap/test ................... 1/47 # Failed test 27 in mmap/test at line 143
#  mmap/test line 143 is:     ok($result);
mmap/test ................... Failed 1/47 subtests 
unix_socket/test ............ ok   
inet_socket/test ............ ok     

[more snipped OK messages]

Test Summary Report
-------------------
mmap/test                 (Wstat: 0 Tests: 47 Failed: 1)
 Failed test:  27
Files=51, Tests=520, 35 wallclock secs ( 0.11 usr  0.04 sys +  0.77 cusr  0.94 csys =  1.86 CPU)
Result: FAIL
Failed 1/51 test programs. 1/520 subtests failed.

我將有問題的測試從 mmap 測試組中隔離到:

#!/bin/bash

basedir=$(pwd)/tests/mmap

if [ ! -d $basedir ]; then
   printf "Error: missing basedir: $basedir\n"
   exit 1
fi

# Clean up from prior runs.
rm -f $basedir/temp_file

# Create temporary file.
dd if=/dev/zero of=$basedir/temp_file count=8 2>&1 > /dev/null
printf "\ncreate: OK\n"
chcon -t test_mmap_file_t $basedir/temp_file
printf "\nchcon: OK\n"

if [ ! -f $basedir/mmap_file_shared ]; then
   printf "Error - missing executable: $basedir/mmap_file_shared\n"
   exit 1
fi

if [ ! -f $basedir/temp_file ]; then
   printf "Error - missing temp file: $basedir/temp_file\n"
   exit 1
fi

/bin/runcon -t test_no_map_t -- $basedir/mmap_file_shared $basedir/temp_file

在 /var/log/audit/audit.log 中生成 AVC 消息:

type=AVC msg=audit(1556563573.950:2466): avc:  denied  { search } for  pid=16708 comm="mmap_file_share" name="vagrant" dev="dm-0" ino=81922 scontext=unconfined_u:unconfined_r:test_no_map_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

我不完全確定這個 AVC 是否是由測試套件打算的(作為負面測試案例)。但我想了解這種失敗。

為了結束這個循環,selinux 郵件列表的 Ondrej Mosnacek 提供了答案:

Quoth Ondrej:

RHEL 和 CentOS 7.6 預設將 domain_can_mmap_files SELinux 布爾值設置為“on” $$ 1 $$,這基本上意味著不檢查地圖權限,這在邏輯上會導致檢查地圖權限在測試策略不允許時被拒絕的測試失敗。在 CentOS/RHEL 7.6 上執行測試套件時,您需要在測試執行期間關閉 domain_can_mmap_files 布爾值。

為了解決它,我做了:

# Get the original value of the bool
export OLD_MMAP_BOOL=$(getsebool domain_can_mmap_files | awk '{ print $3 }')
# Disable it
sudo setsebool domain_can_mmap_files off
# Run the test suite
make -C tests test
# Restore the previous state
sudo OLD_MMAP_BOOL=$OLD_MMAP_BOOL setsebool domain_can_mmap_files $OLD_MMAP_BOOL

引用自:https://serverfault.com/questions/965157