From: Subrata Modak <subrata@linux.vnet.ibm.com>
To: ltp-list <ltp-list@lists.sf.net>
Cc: Serge Hallyn <serue@linux.vnet.ibm.com>
Subject: [LTP] [PATCH] Fix FILECAPS test hanging for more than 12 hours
Date: Tue, 04 May 2010 23:50:03 +0530 [thread overview]
Message-ID: <1272997208.5342.7.camel@subratamodak.linux.ibm.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 12091 bytes --]
Hi,
Recently running FILECAPS test on my Fedora system:
# uname -a
Linux 2.6.33.1-19.fc13.ppc64 #1 SMP Tue Mar 23 06:32:38 EDT 2010 ppc64
ppc64 ppc64 GNU/Linux,
I found that the test hangs for more than 12 hours. The following patch
by Serge fixes the issue. Kindly include it inside LTP.
Tested-by: Subrata Modak <subrata@linux.vnet.ibm.com>,
Serge, please add a Sign-off.
Issue before the patch:
=============================
# ./runltp -f filecaps
<<<test_start>>>
tag=Filecaps stime=1271951563
cmdline="filecapstest.sh"
contacts=""
analysis=exit
<<<test_output>>>
Running in:
cap_sys_admin tests
testing for correct caps
...
The test hangs here for more than 12 hours.
Following are various info about the processes running this test:
# ps ajxf
1608 1724 1608 1458 ? -1 S 0 0:00 \_
/opt/ltp/bin/ltp-pan -e -S -a 1608 -n 1608 -p -f /tmp/ltp-71wskF3epE/alltests
-l /opt/ltp/results/LTP_RUN_ON-20
1724 30311 30311 1458 ? -1 S 0 0:00 \_ /bin/sh
/opt/ltp/testcases/bin/filecapstest.sh
30311 30315 30311 1458 ? -1 S 0 0:00 \_
verify_caps_exec 1
30315 30316 30311 1458 ? -1 Z 1000 0:00 \_
[verify_caps_exe] <defunct>
STRACE on the PIDs does not show anything:
[root@alien5 ltp]# strace -p 30425
Process 30425 attached - interrupt to quit
waitpid(-1, ^C <unfinished ...>
Process 30425 detached
[root@alien5 ltp]# strace -p 30429
Process 30429 attached - interrupt to quit
open("caps_fifo", O_RDONLY^C <unfinished ...>
Process 30429 detached
[root@alien5 ltp]# strace -p 30430
attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted
# getenforce
Permissive
[root@alien5 ltp]# tail -f /var/log/messages
2010-04-21T18:00:15.752320+05:18 alien5 setroubleshoot: SELinux is preventing
/sbin/rsyslogd access to a leaked
/opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output file descriptor. For
complete SELinux messages. run sealert -l 894e0d2d-23c3-45d1-9108-71ad97f5a45e
2010-04-21T18:00:15.794214+05:18 alien5 setroubleshoot: SELinux is preventing
/sbin/rsyslogd access to a leaked
/opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output file descriptor. For
complete SELinux messages. run sealert -l 894e0d2d-23c3-45d1-9108-71ad97f5a45e
2010-04-21T18:00:15.823557+05:18 alien5 setroubleshoot: SELinux is preventing
/sbin/rsyslogd access to a leaked
/opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output file descriptor. For
complete SELinux messages. run sealert -l 894e0d2d-23c3-45d1-9108-71ad97f5a45e
2010-04-21T18:00:17.721361+05:18 alien5 syslogtst: syslogtst:10 error level is
logged
Apr 21 18:00:19 alien5 kernel: imklog 4.4.2, log source = /proc/kmsg started.
Apr 21 18:00:19 alien5 rsyslogd: [origin software="rsyslogd" swVersion="4.4.2"
x-pid="2165" x-info="http://www.rsyslog.com"] (re)start
Apr 21 18:00:20 alien5 setroubleshoot: SELinux is preventing /sbin/rsyslogd
access to a leaked /opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output
file descriptor. For complete SELinux messages. run sealert -l
894e0d2d-23c3-45d1-9108-71ad97f5a45e
Apr 21 18:00:20 alien5 setroubleshoot: SELinux is preventing /sbin/rsyslogd
access to a leaked /opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output
file descriptor. For complete SELinux messages. run sealert -l
894e0d2d-23c3-45d1-9108-71ad97f5a45e
Apr 21 18:00:20 alien5 setroubleshoot: SELinux is preventing /sbin/rsyslogd
access to a leaked /opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output
file descriptor. For complete SELinux messages. run sealert -l
894e0d2d-23c3-45d1-9108-71ad97f5a45e
So, i executed the following command:
# sealert -l 894e0d2d-23c3-45d1-9108-71ad97f5a45e
exception when creating syslog handler: [Errno 2] No such file or directory
Summary:
SELinux is preventing /sbin/rsyslogd access to a leaked
/opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output file descriptor.
Detailed Description:
[rsyslogd has a permissive type (syslogd_t). This access was not denied.]
SELinux denied access requested by the rsyslogd command. It looks like this is
either a leaked descriptor or rsyslogd output was redirected to a file it is
not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output. You should
generate a bugzilla on selinux-policy, and it will get routed to the
appropriate
package. You can safely ignore this avc.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
Additional Information:
Source Context unconfined_u:system_r:syslogd_t:s0
Target Context unconfined_u:object_r:usr_t:s0
Target Objects /opt/ltp/output/LTP_RUN_ON-
2010_Apr_21-17h_51m_22s.output [ file ]
Source rsyslogd
Source Path /sbin/rsyslogd
Port <Unknown>
Host alien5.ltc.austin.ibm.com
Source RPM Packages rsyslog-4.4.2-6.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.15-4.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name leaks
Host Name alien5.ltc.austin.ibm.com
Platform Linux alien5.ltc.austin.ibm.com
2.6.33.1-19.fc13.ppc64 #1 SMP Tue Mar 23 06:32:38
EDT 2010 ppc64 ppc64
Alert Count 186
First Seen Tue Apr 20 23:55:40 2010
Last Seen Wed Apr 21 18:00:19 2010
Local ID 894e0d2d-23c3-45d1-9108-71ad97f5a45e
Line Numbers
Raw Audit Messages
node= type=AVC msg=audit(1271853019.957:317): avc:
denied { append } for pid=2164 comm="rsyslogd"
path="/opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.output" dev=sda3
ino=1188363 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
node= type=AVC msg=audit(1271853019.957:317): avc:
denied { append } for pid=2164 comm="rsyslogd"
path="/opt/ltp/results/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.log" dev=sda3
ino=1188362 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
node= type=AVC msg=audit(1271853019.957:317): avc:
denied { append } for pid=2164 comm="rsyslogd"
path="/opt/ltp/output/LTP_RUN_ON-2010_Apr_21-17h_51m_22s.failed" dev=sda3
ino=1188364 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
node= type=SYSCALL msg=audit(1271853019.957:317):
arch=14 syscall=11 success=yes exit=0 a0=1026c900 a1=1026b5b0 a2=1026b640
a3=1026b5a8 items=0 ppid=2163 pid=2164 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=22 comm="rsyslogd" exe="/sbin/rsyslogd"
subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
=============================
=============================
Test result after applying the patch
=============================
<<<test_start>>>
tag=Filecaps stime=1272996532
cmdline="filecapstest.sh"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
Running in:
cap_sys_admin tests
filecaps 1 TPASS : could not set capabilities as non-root
testing for correct caps
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO :
caps are =
filecaps 0 TINFO : 0
filecaps 0 TINFO : 1
filecaps 0 TINFO : 2
filecaps 0 TINFO : 3
filecaps 0 TINFO : 4
filecaps 0 TINFO : 5
filecaps 0 TINFO : 6
filecaps 0 TINFO : 7
filecaps 0 TINFO : 8
filecaps 0 TINFO : 9
filecaps 0 TINFO : 10
filecaps 0 TINFO : 11
filecaps 0 TINFO : 12
filecaps 0 TINFO : 13
filecaps 0 TINFO : 14
filecaps 0 TINFO : 15
filecaps 0 TINFO : 16
filecaps 0 TINFO : 17
filecaps 0 TINFO : 18
filecaps 0 TINFO : 19
filecaps 0 TINFO : 20
filecaps 0 TINFO : 21
filecaps 0 TINFO : 22
filecaps 0 TINFO : 23
filecaps 0 TINFO : 24
filecaps 0 TINFO : 25
filecaps 0 TINFO : 26
filecaps 0 TINFO : 27
filecaps 0 TINFO : 28
filecaps 0 TINFO : 29
filecaps 0 TINFO : 30
filecaps 0 TINFO : 31
filecaps 0 TINFO : 32
filecaps 0 TINFO : 33
filecaps 1 TPASS : All tests passed
testing for correct pI checks
filecaps 0 TINFO : start
filecaps 0 TINFO : =ep
filecaps 0 TINFO : after raising all caps
filecaps 0 TINFO : =eip
filecaps 0 TINFO : after first drop cap_sys_admin
filecaps 0 TINFO : =eip cap_sys_admin-eip
filecaps 0 TINFO : after first raise cap_sys_admin
filecaps 0 TINFO : =eip cap_sys_admin-ep
filecaps 0 TINFO : after drop cappset
filecaps 0 TINFO : =ip cap_sys_admin-p
filecaps 0 TINFO : after second drop cap_sys_admin
filecaps 0 TINFO : =eip cap_setpcap-e cap_sys_admin-eip
filecaps 0 TINFO : final
filecaps 0 TINFO : =eip cap_setpcap-e cap_sys_admin-eip
filecaps 1 TPASS : pI is properly capped
<<<execution_status>>>
initiation_status="ok"
duration=0 termination_type=exited termination_id=0 corefile=no
cutime=0 cstime=4
<<<test_end>>>
=============================
Regards--
Subrata
[-- Attachment #2: 0001-make-filecaps-tests-succeed.patch --]
[-- Type: application/mbox, Size: 3107 bytes --]
[-- Attachment #3: Type: text/plain, Size: 79 bytes --]
------------------------------------------------------------------------------
[-- Attachment #4: Type: text/plain, Size: 155 bytes --]
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
next reply other threads:[~2010-05-04 18:43 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-04 18:20 Subrata Modak [this message]
2010-05-04 19:22 ` [LTP] [PATCH] Fix FILECAPS test hanging for more than 12 hours Serge E. Hallyn
2010-05-04 21:02 ` Garrett Cooper
2010-05-04 22:33 ` Serge E. Hallyn
2010-05-05 5:19 ` Garrett Cooper
2010-05-05 14:18 ` Serge E. Hallyn
2010-05-06 7:50 ` Garrett Cooper
2010-05-06 13:55 ` Serge E. Hallyn
2010-05-06 14:28 ` Subrata Modak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1272997208.5342.7.camel@subratamodak.linux.ibm.com \
--to=subrata@linux.vnet.ibm.com \
--cc=ltp-list@lists.sf.net \
--cc=serue@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox