iptables & nftables secmark unit-tests

iptables & nftables secmark unit-tests

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 309 bytes --]

When running the test-suites for iptables and nftables, the secmark
tests usually fail 'cause I don't have selinux installed and configured,
and I ignore them.  However, I want to get the test-suites working with
Debian's CI, so any pointers for how I need to set up selinux would be
gratefully received.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: iptables & nftables secmark unit-tests

[Phil Sutter]

Hi Jeremy,

On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote:
> When running the test-suites for iptables and nftables, the secmark
> tests usually fail 'cause I don't have selinux installed and configured,
> and I ignore them.  However, I want to get the test-suites working with
> Debian's CI, so any pointers for how I need to set up selinux would be
> gratefully received.

That's odd, my VM for testing doesn't run selinux and the testsuites
still pass. The only thing I see is selinux support in the kernel
config:

CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
CONFIG_DEFAULT_SECURITY_SELINUX=y
CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"

SELinux-ignorant as I am, I wasn't able to find a place which defines
selinux contexts/policies, no idea how the kernel validates the
'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK
testing for instance. All I can tell is that we had to change this for
testing on RHEL.

HTH, Phil

Re: iptables & nftables secmark unit-tests

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 1369 bytes --]

On 2024-11-20, at 13:29:25 +0100, Phil Sutter wrote:
> On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote:
> > When running the test-suites for iptables and nftables, the secmark
> > tests usually fail 'cause I don't have selinux installed and configured,
> > and I ignore them.  However, I want to get the test-suites working with
> > Debian's CI, so any pointers for how I need to set up selinux would be
> > gratefully received.
> 
> That's odd, my VM for testing doesn't run selinux and the testsuites
> still pass. The only thing I see is selinux support in the kernel
> config:
> 
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
> CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
> CONFIG_DEFAULT_SECURITY_SELINUX=y
> CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> 
> SELinux-ignorant as I am, I wasn't able to find a place which defines
> selinux contexts/policies, no idea how the kernel validates the
> 'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK
> testing for instance. All I can tell is that we had to change this for
> testing on RHEL.

Thanks, Phil.  I'll keeping plugging away.  Probably about time I learnt
more about SELinux than just how to turn it off. :)

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]