* [LTP] Test case "netns_2children" fails under SELinux MLS [not found] <375295843.50995847.1413221141839.JavaMail.zimbra@redhat.com> @ 2014-10-13 17:34 ` Matus Marhefka 2014-10-14 10:03 ` Jan Stancek 0 siblings, 1 reply; 3+ messages in thread From: Matus Marhefka @ 2014-10-13 17:34 UTC (permalink / raw) To: ltp-list Hi, I got fail for TC netns_2children (under kernel/containers/netns) when using SELinux policy MLS in enforcing mode: netns_child_2.sh 1 TFAIL : FAIL: Unable to ping Child1NS from Child2NS ! netns_child_1.sh 1 TFAIL : CHILD2 is unable to reach CHILD1 netns_2children 1 TFAIL : netns_two_children_ns.c:125: waitpid() returns 22672, errno 255 ..but it passes for permissive mode (setenforce 0), so I can either report bug on SELinux policy or we must test this TC in permissive mode. I think reporting bug on SELinux policy is better solution, what do you think ? More details (after test fail): # ausearch -m avc -ts recent | grep ping type=SYSCALL msg=audit(1413219951.925:1481): arch=c000003e syscall=46 success=yes exit=64 a0=5 a1=7fc90a490160 a2=0 a3=0 items=0 ppid=21088 pid=21167 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=17 comm="ping" exe="/usr/bin/pin " subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1413219951.925:1481): avc: denied { egress } for pid=21167 comm= ping" saddr=192.168.0.184 daddr=192.168.0.182 netif=veth0 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:netif_t:s0-s15:c0.c1023 tclass=netif # ausearch -m avc -ts recent | grep ping | audit2allow #============= unlabeled_t ============== allow unlabeled_t netif_t:netif egress; Thanks, Matus Marhefka ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LTP] Test case "netns_2children" fails under SELinux MLS 2014-10-13 17:34 ` [LTP] Test case "netns_2children" fails under SELinux MLS Matus Marhefka @ 2014-10-14 10:03 ` Jan Stancek 2014-10-16 12:27 ` Matus Marhefka 0 siblings, 1 reply; 3+ messages in thread From: Jan Stancek @ 2014-10-14 10:03 UTC (permalink / raw) To: Matus Marhefka; +Cc: ltp-list ----- Original Message ----- > From: "Matus Marhefka" <mmarhefk@redhat.com> > To: ltp-list@lists.sourceforge.net > Cc: "Jan Stancek" <jstancek@redhat.com> > Sent: Monday, 13 October, 2014 7:34:27 PM > Subject: Test case "netns_2children" fails under SELinux MLS > > Hi, > > I got fail for TC netns_2children (under kernel/containers/netns) when using > SELinux policy MLS in enforcing mode: > > netns_child_2.sh 1 TFAIL : FAIL: Unable to ping Child1NS from Child2NS ! > netns_child_1.sh 1 TFAIL : CHILD2 is unable to reach CHILD1 > netns_2children 1 TFAIL : netns_two_children_ns.c:125: waitpid() > returns 22672, errno 255 > > ..but it passes for permissive mode (setenforce 0), so I can either report > bug on SELinux policy > or we must test this TC in permissive mode. I think reporting bug on SELinux > policy is better solution, > what do you think ? I'm not sure, when I saw that "unlabeled_t" in your AVC, I was thinking maybe you are missing some label. How are you running it? I tried to run it by hand, and although it fails to start sshd, pings seems to work: 1. install RHEL7 GA 2. yum install selinux-policy-mls 3. relabel all and then: # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 28 # cd /root/ltp/testcases/kernel/containers/netns # env PATH=/root/ltp/testcases/lib:.:$PATH ./netns_two_children_ns netns_child_1.sh: line 47: /usr/sbin/sshd: Permission denied netns_child_2.sh: line 46: /usr/sbin/sshd: Permission denied netns_child_2.sh 1 TINFO : PASS: CHILD1 is pinging from CHILD2 ! netns_child_1.sh 1 TINFO : PASS: Child2 is pinging from CHILD1 ! netns_2children 1 TPASS : two children ns # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 (Maipo) # rpm -qa selinux-policy* selinux-policy-3.12.1-153.el7.noarch selinux-policy-targeted-3.12.1-153.el7.noarch selinux-policy-mls-3.12.1-153.el7.noarch Regards, Jan > > More details (after test fail): > # ausearch -m avc -ts recent | grep ping > type=SYSCALL msg=audit(1413219951.925:1481): arch=c000003e syscall=46 > success=yes exit=64 a0=5 a1=7fc90a490160 a2=0 a3=0 items=0 ppid=21088 > pid=21167 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts1 ses=17 comm="ping" exe="/usr/bin/pin " > subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(1413219951.925:1481): avc: denied { egress } for > pid=21167 comm= ping" saddr=192.168.0.184 daddr=192.168.0.182 netif=veth0 > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:netif_t:s0-s15:c0.c1023 tclass=netif > > # ausearch -m avc -ts recent | grep ping | audit2allow > > #============= unlabeled_t ============== > allow unlabeled_t netif_t:netif egress; > > > Thanks, > Matus Marhefka > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LTP] Test case "netns_2children" fails under SELinux MLS 2014-10-14 10:03 ` Jan Stancek @ 2014-10-16 12:27 ` Matus Marhefka 0 siblings, 0 replies; 3+ messages in thread From: Matus Marhefka @ 2014-10-16 12:27 UTC (permalink / raw) To: Jan Stancek; +Cc: ltp-list Hi, it was really just a bad label, after relabelling or on clean installation of RHEL7 it passes. Thanks, Matus Marhefka ----- Original Message ----- From: "Jan Stancek" <jstancek@redhat.com> To: "Matus Marhefka" <mmarhefk@redhat.com> Cc: ltp-list@lists.sourceforge.net Sent: Tuesday, October 14, 2014 12:03:42 PM Subject: Re: Test case "netns_2children" fails under SELinux MLS ----- Original Message ----- > From: "Matus Marhefka" <mmarhefk@redhat.com> > To: ltp-list@lists.sourceforge.net > Cc: "Jan Stancek" <jstancek@redhat.com> > Sent: Monday, 13 October, 2014 7:34:27 PM > Subject: Test case "netns_2children" fails under SELinux MLS > > Hi, > > I got fail for TC netns_2children (under kernel/containers/netns) when using > SELinux policy MLS in enforcing mode: > > netns_child_2.sh 1 TFAIL : FAIL: Unable to ping Child1NS from Child2NS ! > netns_child_1.sh 1 TFAIL : CHILD2 is unable to reach CHILD1 > netns_2children 1 TFAIL : netns_two_children_ns.c:125: waitpid() > returns 22672, errno 255 > > ..but it passes for permissive mode (setenforce 0), so I can either report > bug on SELinux policy > or we must test this TC in permissive mode. I think reporting bug on SELinux > policy is better solution, > what do you think ? I'm not sure, when I saw that "unlabeled_t" in your AVC, I was thinking maybe you are missing some label. How are you running it? I tried to run it by hand, and although it fails to start sshd, pings seems to work: 1. install RHEL7 GA 2. yum install selinux-policy-mls 3. relabel all and then: # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 28 # cd /root/ltp/testcases/kernel/containers/netns # env PATH=/root/ltp/testcases/lib:.:$PATH ./netns_two_children_ns netns_child_1.sh: line 47: /usr/sbin/sshd: Permission denied netns_child_2.sh: line 46: /usr/sbin/sshd: Permission denied netns_child_2.sh 1 TINFO : PASS: CHILD1 is pinging from CHILD2 ! netns_child_1.sh 1 TINFO : PASS: Child2 is pinging from CHILD1 ! netns_2children 1 TPASS : two children ns # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 (Maipo) # rpm -qa selinux-policy* selinux-policy-3.12.1-153.el7.noarch selinux-policy-targeted-3.12.1-153.el7.noarch selinux-policy-mls-3.12.1-153.el7.noarch Regards, Jan > > More details (after test fail): > # ausearch -m avc -ts recent | grep ping > type=SYSCALL msg=audit(1413219951.925:1481): arch=c000003e syscall=46 > success=yes exit=64 a0=5 a1=7fc90a490160 a2=0 a3=0 items=0 ppid=21088 > pid=21167 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts1 ses=17 comm="ping" exe="/usr/bin/pin " > subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(1413219951.925:1481): avc: denied { egress } for > pid=21167 comm= ping" saddr=192.168.0.184 daddr=192.168.0.182 netif=veth0 > scontext=system_u:object_r:unlabeled_t:s0 > tcontext=system_u:object_r:netif_t:s0-s15:c0.c1023 tclass=netif > > # ausearch -m avc -ts recent | grep ping | audit2allow > > #============= unlabeled_t ============== > allow unlabeled_t netif_t:netif egress; > > > Thanks, > Matus Marhefka > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-10-16 12:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <375295843.50995847.1413221141839.JavaMail.zimbra@redhat.com>
2014-10-13 17:34 ` [LTP] Test case "netns_2children" fails under SELinux MLS Matus Marhefka
2014-10-14 10:03 ` Jan Stancek
2014-10-16 12:27 ` Matus Marhefka
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox