Bug 1126266 - skip AVC checking if selinux is not enabled
Summary: skip AVC checking if selinux is not enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Community
Component: beah
Version: 0.17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: 0.18
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-04 03:51 UTC by Dan Callaghan
Modified: 2018-02-06 00:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-27 06:52:29 UTC


Attachments (Terms of Use)

Description Dan Callaghan 2014-08-04 03:51:24 UTC
The rhts-db-submit-result script should entirely skip its AVC checking logic if selinux is disabled or unavailable.

Comment 1 Dan Callaghan 2014-08-04 05:43:32 UTC
On Gerrit: http://gerrit.beaker-project.org/3105

Comment 2 Dan Callaghan 2014-08-04 05:48:07 UTC
Suggested test cases:

1. Run an ordinary reservesys job
-> Each result should have a log file named avc_log--*.log showing AVC checking happening (this is the existing behaviour)

2. Run a reservesys job with ks_meta="selinux=--permissive"
-> Each result should have a log file named avc_log--*.log showing AVC checking happening (this is the existing behaviour)

3. Run a job which uses /distribution/command to run a command which triggers an AVC denial, for example "runcon -u system_u -t httpd_sys_content_t cat /etc/passwd".
-> Task should have an "avc" Fail result (this is the existing behaviour)

4. Run a reservesys job with ks_meta="selinux=--disabled"
-> avc_log--*.log should be absent from every result, no AVC checking is performed.

Comment 6 Dan Callaghan 2014-08-27 06:52:29 UTC
rhts 4.64 has been released.


Note You need to log in before you can comment on or make changes to this bug.