We have the following PR for zabbix SELinux policy: https://src.fedoraproject.org/rpms/zabbix/pull-request/10 and we're getting some test failures, but I can't really interpret them. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '\(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+\(.*\)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices) This seems like it might be a python error in the test. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis) No idea about this. In the installability teest: BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs) ---- type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 and more, but these seem unrelated to the zabbix package. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
