GNU bug report logs -
#22631
[PATCH] tests: support non-MLS SELinux systems in mkdir tests
Previous Next
Reported by: Nicolas Iooss <nicolas.iooss <at> m4x.org>
Date: Thu, 11 Feb 2016 14:10:02 UTC
Severity: normal
Tags: patch
Done: Pádraig Brady <P <at> draigBrady.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 22631 in the body.
You can then email your comments to 22631 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Thu, 11 Feb 2016 14:10:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolas Iooss <nicolas.iooss <at> m4x.org>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Thu, 11 Feb 2016 14:10:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
When running "make check" on a Linux system running SELinux with a
non-MLS policy, tests/mkdir/restorecon.sh test fails with:
chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
Indeed in such a configuration, contexts cannot have ":s0" suffix.
* tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
using sestatus and in this case use a valid context when calling
runcon. Update the sed pattern of get_selinux_type to always grab the
SELinux type from the output of "ls -Zd" even with a non-MLS policy.
---
tests/mkdir/restorecon.sh | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
index 0e7f03bc93db..cfd3bdda9637 100755
--- a/tests/mkdir/restorecon.sh
+++ b/tests/mkdir/restorecon.sh
@@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
require_selinux_
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
+get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
+ chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+else
+ chcon 'root:object_r:tmp_t' subdir || framework_failure_
+fi
cd subdir
# --- mkdir -Z ---
--
2.7.0
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Fri, 12 Feb 2016 04:34:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 22631 <at> debbugs.gnu.org (full text, mbox):
On 11/02/16 06:07, Nicolas Iooss wrote:
> When running "make check" on a Linux system running SELinux with a
> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>
> chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>
> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>
> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
> using sestatus and in this case use a valid context when calling
> runcon. Update the sed pattern of get_selinux_type to always grab the
> SELinux type from the output of "ls -Zd" even with a non-MLS policy.
> ---
> tests/mkdir/restorecon.sh | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
> index 0e7f03bc93db..cfd3bdda9637 100755
> --- a/tests/mkdir/restorecon.sh
> +++ b/tests/mkdir/restorecon.sh
> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
> require_selinux_
>
>
> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>
> mkdir subdir || framework_failure_
> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
> + chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
> +else
> + chcon 'root:object_r:tmp_t' subdir || framework_failure_
> +fi
> cd subdir
>
> # --- mkdir -Z ---
>
+1
thanks!
Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Tue, 01 Mar 2016 07:50:03 GMT)
Full text and
rfc822 format available.
Message #11 received at 22631 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello!
New message, please read <http://nzdigitalmediaacademy.ac.nz/forced.php?8rs>
Ulf.Zibis <at> gmx.de
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Fri, 16 Dec 2016 20:48:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 22631 <at> debbugs.gnu.org (full text, mbox):
On 12/02/16 05:33, Pádraig Brady wrote:
> On 11/02/16 06:07, Nicolas Iooss wrote:
>> When running "make check" on a Linux system running SELinux with a
>> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>>
>> chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>>
>> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>>
>> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
>> using sestatus and in this case use a valid context when calling
>> runcon. Update the sed pattern of get_selinux_type to always grab the
>> SELinux type from the output of "ls -Zd" even with a non-MLS policy.
>> ---
>> tests/mkdir/restorecon.sh | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
>> index 0e7f03bc93db..cfd3bdda9637 100755
>> --- a/tests/mkdir/restorecon.sh
>> +++ b/tests/mkdir/restorecon.sh
>> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
>> require_selinux_
>>
>>
>> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
>> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>>
>> mkdir subdir || framework_failure_
>> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
>> + chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>> +else
>> + chcon 'root:object_r:tmp_t' subdir || framework_failure_
>> +fi
>> cd subdir
>>
>> # --- mkdir -Z ---
>>
>
> +1
>
> thanks!
> Pádraig
Hi,
This patch has not been included in coreutils 8.26, which makes
mkdir/restorecon.sh tests still fails on my system. What should I do for
this patch to be merged?
Moreover the code which was modified in this patch has been copied in
tests/install/install-Z-selinux.sh. So this test also fails on systems
where SELinux is configured with a non-MLS policy. Do I need to send a
new patch which also modifies this file?
Thanks,
Nicolas
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Sat, 17 Dec 2016 13:12:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 22631 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 16/12/16 20:47, Nicolas Iooss wrote:
> On 12/02/16 05:33, Pádraig Brady wrote:
>> On 11/02/16 06:07, Nicolas Iooss wrote:
>>> When running "make check" on a Linux system running SELinux with a
>>> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>>>
>>> chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>>>
>>> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>>>
>>> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
>>> using sestatus and in this case use a valid context when calling
>>> runcon. Update the sed pattern of get_selinux_type to always grab the
>>> SELinux type from the output of "ls -Zd" even with a non-MLS policy.
>>> ---
>>> tests/mkdir/restorecon.sh | 8 ++++++--
>>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
>>> index 0e7f03bc93db..cfd3bdda9637 100755
>>> --- a/tests/mkdir/restorecon.sh
>>> +++ b/tests/mkdir/restorecon.sh
>>> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
>>> require_selinux_
>>>
>>>
>>> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
>>> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>>>
>>> mkdir subdir || framework_failure_
>>> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
>>> + chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>> +else
>>> + chcon 'root:object_r:tmp_t' subdir || framework_failure_
>>> +fi
>>> cd subdir
>>>
>>> # --- mkdir -Z ---
>>>
>>
>> +1
>>
>> thanks!
>> Pádraig
>
> Hi,
> This patch has not been included in coreutils 8.26, which makes
> mkdir/restorecon.sh tests still fails on my system. What should I do for
> this patch to be merged?
>
> Moreover the code which was modified in this patch has been copied in
> tests/install/install-Z-selinux.sh. So this test also fails on systems
> where SELinux is configured with a non-MLS policy. Do I need to send a
> new patch which also modifies this file?
My bad. Sorry I missed this.
I presume these root tests have the same issue?
$ git grep -l ':s0' tests | xargs grep -l require_root_
tests/cp/cp-a-selinux.sh
tests/misc/chcon.sh
tests/misc/selinux.sh
I updated those also which can be tested like:
git am < cu-non-mls-tests.patch
sudo make TESTS="$(echo $(git show --name-only | grep ^tests))" check SUBDIRS=.
Do those pass on your system?
I'll apply the attached in your name if so.
thanks for the follow up.
Pádraig
[cu-non-mls-tests.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Sun, 18 Dec 2016 19:30:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 22631 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 17/12/16 14:11, Pádraig Brady wrote:
> On 16/12/16 20:47, Nicolas Iooss wrote:
>> On 12/02/16 05:33, Pádraig Brady wrote:
>>> On 11/02/16 06:07, Nicolas Iooss wrote:
>>>> When running "make check" on a Linux system running SELinux with a
>>>> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>>>>
>>>> chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>>>>
>>>> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>>>>
>>>> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
>>>> using sestatus and in this case use a valid context when calling
>>>> runcon. Update the sed pattern of get_selinux_type to always grab the
>>>> SELinux type from the output of "ls -Zd" even with a non-MLS policy.
>>>> ---
>>>> tests/mkdir/restorecon.sh | 8 ++++++--
>>>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
>>>> index 0e7f03bc93db..cfd3bdda9637 100755
>>>> --- a/tests/mkdir/restorecon.sh
>>>> +++ b/tests/mkdir/restorecon.sh
>>>> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
>>>> require_selinux_
>>>>
>>>>
>>>> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
>>>> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>>>>
>>>> mkdir subdir || framework_failure_
>>>> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>>> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
>>>> + chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>>> +else
>>>> + chcon 'root:object_r:tmp_t' subdir || framework_failure_
>>>> +fi
>>>> cd subdir
>>>>
>>>> # --- mkdir -Z ---
>>>>
>>>
>>> +1
>>>
>>> thanks!
>>> Pádraig
>>
>> Hi,
>> This patch has not been included in coreutils 8.26, which makes
>> mkdir/restorecon.sh tests still fails on my system. What should I do for
>> this patch to be merged?
>>
>> Moreover the code which was modified in this patch has been copied in
>> tests/install/install-Z-selinux.sh. So this test also fails on systems
>> where SELinux is configured with a non-MLS policy. Do I need to send a
>> new patch which also modifies this file?
>
> My bad. Sorry I missed this.
>
> I presume these root tests have the same issue?
>
> $ git grep -l ':s0' tests | xargs grep -l require_root_
> tests/cp/cp-a-selinux.sh
> tests/misc/chcon.sh
> tests/misc/selinux.sh
>
> I updated those also which can be tested like:
>
> git am < cu-non-mls-tests.patch
> sudo make TESTS="$(echo $(git show --name-only | grep ^tests))" check SUBDIRS=.
>
> Do those pass on your system?
>
> I'll apply the attached in your name if so.
>
> thanks for the follow up.
> Pádraig
Thanks for your quick reply. With your patch I get 3 PASS and 2 SKIP on
my system instead of 3 ERROR and 2 SKIP:
PASS: tests/mkdir/restorecon.sh
chcon.sh: skipped test: unexpected context
'sysadm_u:object_r:user_home_t'; turn off mcstransd
SKIP: tests/misc/chcon.sh
PASS: tests/install/install-Z-selinux.sh
PASS: tests/cp/cp-a-selinux.sh
selinux.sh: skipped test: unexpected context
'sysadm_u:object_r:user_home_t'; turn off mcstransd
SKIP: tests/misc/selinux.sh
I am not running mcstransd on and the SKIP were due to incorrect
matching in skip_if_mcstransd_is_running_ function. I updated this
function to accept contexts with three components if MLS is disabled and
got one more PASS:
PASS: tests/mkdir/restorecon.sh
chcon.sh: skipped test: MLS is disabled
SKIP: tests/misc/chcon.sh
PASS: tests/install/install-Z-selinux.sh
PASS: tests/cp/cp-a-selinux.sh
PASS: tests/misc/selinux.sh
My updated patch is attached to this email.
Regards,
Nicolas
[0001-tests-support-non-MLS-enabled-SELinux-systems.patch (text/x-patch, attachment)]
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility.
(Sun, 18 Dec 2016 20:11:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Nicolas Iooss <nicolas.iooss <at> m4x.org>:
bug acknowledged by developer.
(Sun, 18 Dec 2016 20:11:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 22631-done <at> debbugs.gnu.org (full text, mbox):
On 18/12/16 19:29, Nicolas Iooss wrote:
> I am not running mcstransd on and the SKIP were due to incorrect
> matching in skip_if_mcstransd_is_running_ function. I updated this
> function to accept contexts with three components if MLS is disabled and
> got one more PASS:
Excellent. I tweaked that a little to be less than 80 chars line length,
and avoid a duplicated error message, and pushed at:
http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=v8.26-5-gbe2f82f
Marking this bug as done.
cheers,
Pádraig
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Sun, 18 Dec 2016 20:28:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 22631-done <at> debbugs.gnu.org (full text, mbox):
On 18/12/16 21:10, Pádraig Brady wrote:
> On 18/12/16 19:29, Nicolas Iooss wrote:
>> I am not running mcstransd on and the SKIP were due to incorrect
>> matching in skip_if_mcstransd_is_running_ function. I updated this
>> function to accept contexts with three components if MLS is disabled and
>> got one more PASS:
>
> Excellent. I tweaked that a little to be less than 80 chars line length,
> and avoid a duplicated error message, and pushed at:
> http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=v8.26-5-gbe2f82f
>
> Marking this bug as done.
Sorry to bother you but there are two errors in this commit with
"mls_enabled_ && __ctk_ok=1": 3-component contexts are fine when MLS is
disabled so the operator needs to be || instead, and there is a K
instead of an X in the variable name (which would be __ctx_ok).
Thanks,
Nicolas
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#22631; Package
coreutils.
(Sun, 18 Dec 2016 20:44:01 GMT)
Full text and
rfc822 format available.
Message #31 received at 22631 <at> debbugs.gnu.org (full text, mbox):
On 18/12/16 20:27, Nicolas Iooss wrote:
>
>
> On 18/12/16 21:10, Pádraig Brady wrote:
>> On 18/12/16 19:29, Nicolas Iooss wrote:
>>> I am not running mcstransd on and the SKIP were due to incorrect
>>> matching in skip_if_mcstransd_is_running_ function. I updated this
>>> function to accept contexts with three components if MLS is disabled and
>>> got one more PASS:
>>
>> Excellent. I tweaked that a little to be less than 80 chars line length,
>> and avoid a duplicated error message, and pushed at:
>> http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=v8.26-5-gbe2f82f
>>
>> Marking this bug as done.
>
> Sorry to bother you but there are two errors in this commit with
> "mls_enabled_ && __ctk_ok=1": 3-component contexts are fine when MLS is
> disabled so the operator needs to be || instead, and there is a K
> instead of an X in the variable name (which would be __ctx_ok).
Wow. That's a lesson in not doing even trivial commits
while being distracted :/ I've pushed that fix
highlighting that the issue was mine.
cheers,
Pádraig.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 16 Jan 2017 12:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 8 years and 217 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.