GNU bug report logs -
#22631
[PATCH] tests: support non-MLS SELinux systems in mkdir tests
Previous Next
Reported by: Nicolas Iooss <nicolas.iooss <at> m4x.org>
Date: Thu, 11 Feb 2016 14:10:02 UTC
Severity: normal
Tags: patch
Done: Pádraig Brady <P <at> draigBrady.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
On 17/12/16 14:11, Pádraig Brady wrote:
> On 16/12/16 20:47, Nicolas Iooss wrote:
>> On 12/02/16 05:33, Pádraig Brady wrote:
>>> On 11/02/16 06:07, Nicolas Iooss wrote:
>>>> When running "make check" on a Linux system running SELinux with a
>>>> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>>>>
>>>> chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>>>>
>>>> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>>>>
>>>> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
>>>> using sestatus and in this case use a valid context when calling
>>>> runcon. Update the sed pattern of get_selinux_type to always grab the
>>>> SELinux type from the output of "ls -Zd" even with a non-MLS policy.
>>>> ---
>>>> tests/mkdir/restorecon.sh | 8 ++++++--
>>>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
>>>> index 0e7f03bc93db..cfd3bdda9637 100755
>>>> --- a/tests/mkdir/restorecon.sh
>>>> +++ b/tests/mkdir/restorecon.sh
>>>> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
>>>> require_selinux_
>>>>
>>>>
>>>> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
>>>> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>>>>
>>>> mkdir subdir || framework_failure_
>>>> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>>> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
>>>> + chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>>> +else
>>>> + chcon 'root:object_r:tmp_t' subdir || framework_failure_
>>>> +fi
>>>> cd subdir
>>>>
>>>> # --- mkdir -Z ---
>>>>
>>>
>>> +1
>>>
>>> thanks!
>>> Pádraig
>>
>> Hi,
>> This patch has not been included in coreutils 8.26, which makes
>> mkdir/restorecon.sh tests still fails on my system. What should I do for
>> this patch to be merged?
>>
>> Moreover the code which was modified in this patch has been copied in
>> tests/install/install-Z-selinux.sh. So this test also fails on systems
>> where SELinux is configured with a non-MLS policy. Do I need to send a
>> new patch which also modifies this file?
>
> My bad. Sorry I missed this.
>
> I presume these root tests have the same issue?
>
> $ git grep -l ':s0' tests | xargs grep -l require_root_
> tests/cp/cp-a-selinux.sh
> tests/misc/chcon.sh
> tests/misc/selinux.sh
>
> I updated those also which can be tested like:
>
> git am < cu-non-mls-tests.patch
> sudo make TESTS="$(echo $(git show --name-only | grep ^tests))" check SUBDIRS=.
>
> Do those pass on your system?
>
> I'll apply the attached in your name if so.
>
> thanks for the follow up.
> Pádraig
Thanks for your quick reply. With your patch I get 3 PASS and 2 SKIP on
my system instead of 3 ERROR and 2 SKIP:
PASS: tests/mkdir/restorecon.sh
chcon.sh: skipped test: unexpected context
'sysadm_u:object_r:user_home_t'; turn off mcstransd
SKIP: tests/misc/chcon.sh
PASS: tests/install/install-Z-selinux.sh
PASS: tests/cp/cp-a-selinux.sh
selinux.sh: skipped test: unexpected context
'sysadm_u:object_r:user_home_t'; turn off mcstransd
SKIP: tests/misc/selinux.sh
I am not running mcstransd on and the SKIP were due to incorrect
matching in skip_if_mcstransd_is_running_ function. I updated this
function to accept contexts with three components if MLS is disabled and
got one more PASS:
PASS: tests/mkdir/restorecon.sh
chcon.sh: skipped test: MLS is disabled
SKIP: tests/misc/chcon.sh
PASS: tests/install/install-Z-selinux.sh
PASS: tests/cp/cp-a-selinux.sh
PASS: tests/misc/selinux.sh
My updated patch is attached to this email.
Regards,
Nicolas
[0001-tests-support-non-MLS-enabled-SELinux-systems.patch (text/x-patch, attachment)]
This bug report was last modified 8 years and 219 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.