Description of problem: selinux_sigiotask from the 20060505 ltp selinux test suite fails consistantly on RHEL 4 (2.6.9-37.EL) This is not a regression as it fails on earlier kernels as well although the exit code is different on older kernels (2.6.9-5 or 22) being 1 rather than 2. Version-Release number of selected component (if applicable): RHEL 4 2.6.9-37.EL, 2.6.9-22, 2.6.9-5 How reproducible: Always on x86_64 Steps to Reproduce: 1. Build/run ltp selinux test suite 2. the test07 from selinux_file test will be the only one that fails 3. This corresponds to ltp-full-20060515/testcases/kernel/security/selinux-testsuite/tests/file/selinux_sigiotask Actual results: running from a pseudoterm we get: runcon -t test_fileop_t -- file/selinux_sigiotask # no output to console from /var/log/messages: May 31 11:13:40 dhcp59-204 root: selinux_sigiotask start May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:130): avc: denied { read write } for pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2 scontext=root:sys tem_r:test_fileop_t tcontext=root:object_r:initrc_devpts_t tclass=chr_file May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:131): avc: denied { use } for pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2 scontext=root:system_r:t est_fileop_t tcontext=user_u:system_r:initrc_t tclass=fd May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:132): avc: denied { use } for pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2 scontext=root:system_r:t est_fileop_t tcontext=user_u:system_r:initrc_t tclass=fd May 31 11:13:47 dhcp59-204 kernel: audit(1149088427.264:133): avc: denied { use } for pid=6320 comm="selinux_sigiota" name="0" dev=devpts ino=2 scontext=root:system_r:t est_fileop_t tcontext=user_u:system_r:initrc_t tclass=fd May 31 11:13:55 dhcp59-204 root: selinux_sigiotask end Running from a 'real tty - tty1' we get a segfault: (no useful console output) May 31 11:16:27 dhcp59-204 root: selinux_sigiotask from console start May 31 11:16:45 dhcp59-204 kernel: selinux_sigiota[6368]: segfault at 00000000bffffbc2 rip 000000374a96ff20 rsp 0000007fbfffef28 error 4 May 31 11:16:59 dhcp59-204 root: selinux_sigiotask from console end Expected results: Test passes. Additional info: likely occurs on all other archetectures as well. other arch's not yet been tested.
This was also tested with 2.6.9-34.EL. When run from the console (tty1) all other tests pass.
Just ran with everything on the beta channel including 2.6.9-34.0.1.ELsmp. Failed on both an ssh connection and a real tty. On the real tty just added the rule allow test_fileop_t user_home_t:dir search; and it worked fine. For the ssh terminal added allow test_fileop_t initrc_devpts_t:chr_file { read write }; allow test_fileop_t initrc_t:fd use; and it started working. Going to attempt to figure out what of these I should care about. It seems as though the test works fine but is having some access problems to either files it needs or the console....
fd = open(ctermid(NULL), O_RDWR, 0); if(fd == -1) { perror("selinux_sigiotask:open"); exit(2); } without allow test_fileop_t initrc_devpts_t:chr_file { read write }; the open fails so it exits with 2. My guess is that pre-u2 policy (where initrc was introduced) we may have been failing with different errors....
so I'd say this is an LTP problem. not kernel
We failed with an exit 1 in GA, I did not try U1. I agree this is not a kernel problem at this point. Do you think this is a worthwhile test with the policy change?
I think adding permissions to talk to the console is reasonable if it's broken in the reference policy i think a bug should be filed with LTP.
Mike haven't heard anything in a while, going to close notabug you can reopen if you need a BZ to handle the policy change (but i doubt you do)