On Thu, May 30, 2024 at 12:14 AM Orion Poplawski <orion@xxxxxxxx> wrote:
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Unsound/dangerous policy practices
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix'
:: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix'
(Expected 0, got 0)
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix'
:: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix'
(Expected 0, got 0)
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil
policy/zabbix.te'
/var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '\('
out = subprocess.run(['grep', '-E', '[A-Za-z_]+\(.*\)', te_source_file],
capture_output=True, text=True)
:: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil
policy/zabbix.te' (Expected 0, got 4)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 1s
:: Assertions: 2 good, 1 bad
:: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SELint static analysis
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d
W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc
policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny'
:: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d
W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc
policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0)
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny''
:: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002'
'/tmp/tmp.DVGZL996ny'' (Expected 1, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 0s
:: Assertions: 1 good, 1 bad
:: RESULT: FAIL (SELint static analysis)
No idea about this.
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
----
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read
map_write } for pid=4601 comm=selinux-autorel
scontext=system_u:system_r:selinux_autorelabel_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read
map_write } for pid=4605 comm=systemd-fstab-g
scontext=system_u:system_r:systemd_fstab_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read
map_write } for pid=4609 comm=systemd-gpt-aut
scontext=system_u:system_r:systemd_gpt_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read
map_write } for pid=4613 comm=systemd-rc-loca
scontext=system_u:system_r:systemd_rc_local_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for
pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read
map_write } for pid=4619 comm=systemd-sysv-ge
scontext=system_u:system_r:systemd_sysv_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
Hi Orion,
commenting only on the second part:
bpf map_read/map_write is a known issue which has been fixed in systemd,
using vsock is a feature of ssh generator, new in systemd v256, which was fixed in policy 2 builds ago.
Please update your system.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxx
Boulder, CO 80301 https://www.nwra.com/
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela
Security SELinux team
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue