主页 / server / 问题 / 965157
Accepted
nolandda
Asked: 2019-04-30 11:35:07 +0800 CST

SELinux 回归测试失败

  • 772

我从以下网址克隆了 selinux-testsuite 回归测试:https ://github.com/SELinuxProject/selinux-testsuite

我在 CentOS Linux 版本 7.6.1810 (Core) VM 中运行测试。我不认为这是相关的。

在我安装临时测试策略之前,SELinux 正在使用目标策略执行:

make -C policy load

sestatus 说

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

我相信我已按照说明准确运行测试套件。但是,当我运行它时,我看到一个失败:

[snipped OK messages]

bounds/test ................. ok     
nnp_nosuid/test ............. ok     
mmap/test ................... 1/47 # Failed test 27 in mmap/test at line 143
#  mmap/test line 143 is:     ok($result);
mmap/test ................... Failed 1/47 subtests 
unix_socket/test ............ ok   
inet_socket/test ............ ok     

[more snipped OK messages]

Test Summary Report
-------------------
mmap/test                 (Wstat: 0 Tests: 47 Failed: 1)
  Failed test:  27
Files=51, Tests=520, 35 wallclock secs ( 0.11 usr  0.04 sys +  0.77 cusr  0.94 csys =  1.86 CPU)
Result: FAIL
Failed 1/51 test programs. 1/520 subtests failed.

我将有问题的测试从 mmap 测试组中隔离到:

#!/bin/bash

basedir=$(pwd)/tests/mmap

if [ ! -d $basedir ]; then
    printf "Error: missing basedir: $basedir\n"
    exit 1
fi

# Clean up from prior runs.
rm -f $basedir/temp_file

# Create temporary file.
dd if=/dev/zero of=$basedir/temp_file count=8 2>&1 > /dev/null
printf "\ncreate: OK\n"
chcon -t test_mmap_file_t $basedir/temp_file
printf "\nchcon: OK\n"

if [ ! -f $basedir/mmap_file_shared ]; then
    printf "Error - missing executable: $basedir/mmap_file_shared\n"
    exit 1
fi

if [ ! -f $basedir/temp_file ]; then
    printf "Error - missing temp file: $basedir/temp_file\n"
    exit 1
fi

/bin/runcon -t test_no_map_t -- $basedir/mmap_file_shared $basedir/temp_file

在 /var/log/audit/audit.log 中生成 AVC 消息:

type=AVC msg=audit(1556563573.950:2466): avc:  denied  { search } for  pid=16708 comm="mmap_file_share" name="vagrant" dev="dm-0" ino=81922 scontext=unconfined_u:unconfined_r:test_no_map_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

我不完全确定这个 AVC 是否是由测试套件打算的(作为负面测试用例)。但我想了解这种失败。

linux

1 个回答

  1. Best Answer

    为了结束这个循环,selinux 邮件列表的 Ondrej Mosnacek 提供了答案:

    Quoth Ondrej:

    RHEL 和 CentOS 7.6 的 domain_can_mmap_files SELinux boolean 默认设置为“on” [1],这基本上意味着不检查映射权限,这在逻辑上导致检查映射权限被拒绝的测试失败。测试策略允许。在 CentOS/RHEL 7.6 上运行测试套件时,您需要在测试执行期间关闭 domain_can_mmap_files 布尔值。

    为了解决它,我做了:

    # Get the original value of the bool
export OLD_MMAP_BOOL=$(getsebool domain_can_mmap_files | awk '{ print $3 }')
# Disable it
sudo setsebool domain_can_mmap_files off
# Run the test suite
make -C tests test
# Restore the previous state
sudo OLD_MMAP_BOOL=$OLD_MMAP_BOOL setsebool domain_can_mmap_files $OLD_MMAP_BOOL
    • 3

相关问题