Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1918740 Details for
Bug 2135794
Listening socket has incorrect label when SELinuxContextFromNet=yes is set
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch for the test case Sanity/SELinuxContextFromNet
0001-Improve-and-extend-SELinuxContextFromNet-sanity-test.patch (text/plain), 7.58 KB, created by
Michal Sekletar
on 2022-10-18 12:55:38 UTC
(
hide
)
Description:
Patch for the test case Sanity/SELinuxContextFromNet
Filename:
MIME Type:
Creator:
Michal Sekletar
Created:
2022-10-18 12:55:38 UTC
Size:
7.58 KB
patch
obsolete
>From 245824c22cef2152dc73cea18d3e269bdfeeef66 Mon Sep 17 00:00:00 2001 >From: Michal Sekletar <msekleta@redhat.com> >Date: Tue, 18 Oct 2022 14:28:13 +0200 >Subject: [PATCH] Improve and extend SELinuxContextFromNet= sanity test > >This commits reworks the test a fair bit. First, let's play it safe >and use dedicated dummy interface instead of loopback. > >rlRun invocations were modified and now log about executed actions. > >Last but not least, we now also test what is the label of socket >that systemd is listening on. Expectation is that socket unit will >have label derived from target (i.e. launched by service) executable >and child process will have that label + corresponding sensitivity >level received from NetLabel. >--- > Sanity/SELinuxContextFromNet/main.fmf | 5 +- > Sanity/SELinuxContextFromNet/runtest.sh | 112 ++++++++++++++---------- > 2 files changed, 66 insertions(+), 51 deletions(-) > >diff --git a/Sanity/SELinuxContextFromNet/main.fmf b/Sanity/SELinuxContextFromNet/main.fmf >index ee055c1..2fb17b0 100644 >--- a/Sanity/SELinuxContextFromNet/main.fmf >+++ b/Sanity/SELinuxContextFromNet/main.fmf >@@ -5,9 +5,8 @@ adjust: > component: systemd > summary: Sanity test for SELinuxContextFromNet socket unit option > description: Test for SELinuxContextFromNet= socket unit option. Test uses very basic >- Linux Netlabel setup over loopback interface and verifies that spawned service >- has correct SELinux sensitivity. Note that test expects that SUT is running with >- MLS SELinux policy. >+ Linux NetLabel setup over dummy interface and verifies that spawned service >+ has correct SELinux sensitivity. > link: > - https://www.kernel.org/doc/html/latest/netlabel/introduction.html > - implements: https://polarion.engineering.redhat.com/polarion/#/project/RHELBASEOS/workitem?id=BASEOS-10878 >diff --git a/Sanity/SELinuxContextFromNet/runtest.sh b/Sanity/SELinuxContextFromNet/runtest.sh >index 10757c5..a44eed5 100755 >--- a/Sanity/SELinuxContextFromNet/runtest.sh >+++ b/Sanity/SELinuxContextFromNet/runtest.sh >@@ -38,73 +38,89 @@ export RHTS_OPTION_STRONGER_AVC= > > PACKAGE="systemd" > >-SOCKET="netlabel.socket" >-SERVICE="netlabel@.service" >+IFACE="dummy127" >+ADDR="127.0.0.127" >+PORT="56789" > >-SIP="127.0.0.2" >-DIP="127.0.0.1" >-PORT="5000" >- >-rlJournalStart >+LABEL="staff_u:staff_r:staff_t:s8" > >-if [[ $REBOOTCOUNT -eq 0 ]]; then >- rlPhaseStartSetup >- rlFileBackup /etc/selinux/config >- rlRun "sed -ri 's/^SELINUX=\w+$/SELINUX=permissive/' /etc/selinux/config" >- rlRun "sed -ri 's/^SELINUXTYPE=\w+$/SELINUXTYPE=mls/' /etc/selinux/config" >- rlRun "cat /etc/selinux/config" >- rlRun "fixfiles -F onboot" >- rlPhaseEnd >+SOCKET="netlabel.socket" >+SOCKET_CONTENT="$(cat<<EOF >+[Socket] >+ListenStream=$ADDR:$PORT >+Accept=yes >+SELinuxContextFromNet=yes >+EOF >+)" > >- rhts-reboot >-fi >+SERVICE="netlabel@.service" >+SERVICE_CONTENT="$(cat<<EOF >+[Service] >+StandardInput=socket >+StandardOutput=inherit >+ExecStart=/usr/bin/id2 -Z >+EOF >+)" > >-if [[ $REBOOTCOUNT -eq 1 ]]; then >+rlJournalStart >+if [ $REBOOTCOUNT -eq 0 ]; then > rlPhaseStartSetup > rlAssertRpm $PACKAGE >- if ! sestatus | grep mls; then >- rlDie "System must be running with MLS policy" >- fi >+ rlRun 'TmpDir=$(mktemp -d)' 0 'Creating tmp directory' >+ rlRun "pushd $TmpDir" > >- rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" >+ rlFileBackup "/etc/selinux/config" >+ rlRun "setenforce 0" 0 "Switch SELinux to permissive mode" >+ rlRun "sed -i -e 's/SELINUX=enforcing/SELINUX=permissive/g' -e 's/SELINUXTYPE=targeted/SELINUXTYPE=mls/g' /etc/selinux/config" 0 "Change SELinux policy to MLS" >+ rlRun "fixfiles -F onboot" 0 "Relabel filesystem after reboot" >+ rlPhaseEnd >+ rhts-reboot >+elif [ $REBOOTCOUNT -eq 1 ]; then >+ rlPhaseStart FAIL "Setup NetLabel" >+ rlRun 'TmpDir=$(mktemp -d)' 0 'Creating tmp directory' > rlRun "pushd $TmpDir" > >- cat >"/run/systemd/system/$SOCKET" <<EOF >-[Socket] >-ListenStream=$DIP:$PORT >-Accept=true >-SELinuxContextFromNet=true >-EOF >+ rlRun "ip link add dev $IFACE type dummy" 0 "Add interface $IFACE" >+ rlRun "ip address add $ADDR/32 dev $IFACE" 0 "Add IP address $ADDDR/32 to $IFACE interface" >+ rlRun "ip link set up dev $IFACE" 0 "Bring UP interface $IFACE" >+ rlRun "netlabelctl unlbl add default address:$ADDR/32 label:$LABEL" >+ rlPhaseEnd > >- cat >"/run/systemd/system/$SERVICE" <<EOF >-[Service] >-ExecStart=/bin/bash -c 'ps -olabel= -p \$\$\$\$' >-StandardInput=socket >-EOF >- rlRun "systemctl daemon-reload" 0 "Make systemd aware of our test units" >+ rlPhaseStart FAIL "Setup systemd units" >+ rlRun "cp /usr/bin/id /usr/bin/id2" 0 "Create copy of 'id' utility as 'id2'" >+ rlRun "chcon system_u:object_r:httpd_exec_t:s0 /usr/bin/id2" 0 "Change SELinux label of 'id2' to be the same as label used by httpd" >+ rlRun "echo \"${SOCKET_CONTENT}\" > /run/systemd/system/$SOCKET" 0 "Write socket unit" >+ rlRun "echo \"${SERVICE_CONTENT}\" > /run/systemd/system/$SERVICE" 0 "Write service template" >+ rlRun "systemctl daemon-reload" 0 "Reload systemd" > rlRun "systemctl start $SOCKET" 0 "Start test socket unit" >- rlRun "ip address add $SIP dev lo" 0 "Add additional loopback address that we use as source" >- rlRun "netlabelctl unlbl accept on" 0 "Make sure unlabeled traffic is accepted" >- rlRun "netlabelctl unlbl add interface:lo address:$SIP/32 label:system_u:object_r:initrc_t:s10" 0 "Add netlabel rule" > rlPhaseEnd > > rlPhaseStartTest >- rlRun "nc --recv-only -s $SIP $DIP $PORT | grep -E ':s10$'" 0 "Check that spawned process has correct SELinux sensitivity" >- rlPhaseEnd >- >- rlPhaseStartCleanup >- rlRun "systemctl stop $SOCKET" 0 "Stop socket" >- rlRun "rm -f /run/systemd/system/{$SOCKET,$SERVICE}" 0 "Remove test unit files" >- rlRun "netlabelctl unlbl del interface:lo address:$SIP/32 label:system_u:object_r:initrc_t:s10" 0 "Delete netlabel rule" >- rlRun "ip address del $SIP/32 dev lo" 0 "Remove $SIP for loopback interface" >+ rlRun -s "ss --family=inet --listening --numeric --no-header --oneline --contexts \"( sport = $PORT )\"" 0 "Query information about the test socket" >+ rlRun -s "grep -o -P 'sock_ctx=\w+:\w+:\w+(:s\d{1,2}(-s\d{1,2})?)?(:c\d{1,4}(\.c\d{1,4})?)?' $rlRun_LOG" 0 "Parse out SELinux label of the socket" >+ rlRun -s "cut -d= -f2 $rlRun_LOG" >+ rlLog "Check that socket socket has label derived from the label of target executable" >+ rlAssertGrep "httpd_t" "$rlRun_LOG" >+ >+ rlRun -s 'nc --recv-only "$ADDR" "$PORT"' 0 "Connect to socket and log SELinux label returned by id" >+ rlLog "Check that returned label contains a combination of SELinux type derived from executable and sensitivity level from NetLabel" >+ rlAssertGrep "httpd_t:s8" "$rlRun_LOG" > rlPhaseEnd > > rlPhaseStartCleanup > rlFileRestore >- rlRun "cat /etc/selinux/config" >- rlRun "fixfiles -F onboot" >+ rlRun "fixfiles -F onboot" 0 "Relabel filesystem after reboot" >+ rlRun "netlabelctl unlbl del default address:$ADDR/32 label:$LABEL" 0 "Remove NetLabel rule" >+ rlRun "ip link del $IFACE" 0 "Delete test interface" >+ rlPhaseEnd >+ rhts-reboot >+elif [ $REBOOTCOUNT -eq 2 ]; then >+ rlPhaseStart FAIL "Verify SELinux state after second reboot" >+ rlRun -s "getenforce" 0 "Get SELinux state" >+ rlAssertGrep "Enforcing" "$rlRun_LOG" >+ rlRun -s "sestatus | grep 'Loaded policy name:'" 0 "Get loaded SELinux policy" >+ rlAssertGrep "targeted" "rlRun_LOG" > rlPhaseEnd >- rhts-reboot > fi > > rlJournalEnd >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1918740">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2135794
: 1918740