* iptables & nftables secmark unit-tests @ 2024-11-19 22:46 Jeremy Sowden 2024-11-20 12:29 ` Phil Sutter 0 siblings, 1 reply; 3+ messages in thread From: Jeremy Sowden @ 2024-11-19 22:46 UTC (permalink / raw) To: Netfilter Devel [-- Attachment #1: Type: text/plain, Size: 309 bytes --] When running the test-suites for iptables and nftables, the secmark tests usually fail 'cause I don't have selinux installed and configured, and I ignore them. However, I want to get the test-suites working with Debian's CI, so any pointers for how I need to set up selinux would be gratefully received. J. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables & nftables secmark unit-tests 2024-11-19 22:46 iptables & nftables secmark unit-tests Jeremy Sowden @ 2024-11-20 12:29 ` Phil Sutter 2024-11-21 10:33 ` Jeremy Sowden 0 siblings, 1 reply; 3+ messages in thread From: Phil Sutter @ 2024-11-20 12:29 UTC (permalink / raw) To: Jeremy Sowden; +Cc: Netfilter Devel Hi Jeremy, On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote: > When running the test-suites for iptables and nftables, the secmark > tests usually fail 'cause I don't have selinux installed and configured, > and I ignore them. However, I want to get the test-suites working with > Debian's CI, so any pointers for how I need to set up selinux would be > gratefully received. That's odd, my VM for testing doesn't run selinux and the testsuites still pass. The only thing I see is selinux support in the kernel config: CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 CONFIG_DEFAULT_SECURITY_SELINUX=y CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" SELinux-ignorant as I am, I wasn't able to find a place which defines selinux contexts/policies, no idea how the kernel validates the 'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK testing for instance. All I can tell is that we had to change this for testing on RHEL. HTH, Phil ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables & nftables secmark unit-tests 2024-11-20 12:29 ` Phil Sutter @ 2024-11-21 10:33 ` Jeremy Sowden 0 siblings, 0 replies; 3+ messages in thread From: Jeremy Sowden @ 2024-11-21 10:33 UTC (permalink / raw) To: Phil Sutter; +Cc: Netfilter Devel [-- Attachment #1: Type: text/plain, Size: 1369 bytes --] On 2024-11-20, at 13:29:25 +0100, Phil Sutter wrote: > On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote: > > When running the test-suites for iptables and nftables, the secmark > > tests usually fail 'cause I don't have selinux installed and configured, > > and I ignore them. However, I want to get the test-suites working with > > Debian's CI, so any pointers for how I need to set up selinux would be > > gratefully received. > > That's odd, my VM for testing doesn't run selinux and the testsuites > still pass. The only thing I see is selinux support in the kernel > config: > > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_DEVELOP=y > CONFIG_SECURITY_SELINUX_AVC_STATS=y > CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 > CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 > CONFIG_DEFAULT_SECURITY_SELINUX=y > CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" > > SELinux-ignorant as I am, I wasn't able to find a place which defines > selinux contexts/policies, no idea how the kernel validates the > 'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK > testing for instance. All I can tell is that we had to change this for > testing on RHEL. Thanks, Phil. I'll keeping plugging away. Probably about time I learnt more about SELinux than just how to turn it off. :) J. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-11-21 10:34 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-11-19 22:46 iptables & nftables secmark unit-tests Jeremy Sowden 2024-11-20 12:29 ` Phil Sutter 2024-11-21 10:33 ` Jeremy Sowden
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.