Re: Help with test failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Thu, May 30, 2024 at 12:14 AM Orion Poplawski <orion@xxxxxxxx> wrote:
We have the following PR for zabbix SELinux policy:

https://src.fedoraproject.org/rpms/zabbix/pull-request/10

and we're getting some test failures, but I can't really interpret them.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Unsound/dangerous policy practices
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 21:15:26 ] :: [  BEGIN   ] :: Running 'semodule -lfull | grep zabbix'
:: [ 21:15:26 ] :: [   PASS   ] :: Command 'semodule -lfull | grep zabbix'
(Expected 0, got 0)
:: [ 21:15:26 ] :: [  BEGIN   ] :: Running 'semodule -X 200 --cil -E zabbix'
:: [ 21:15:26 ] :: [   PASS   ] :: Command 'semodule -X 200 --cil -E zabbix'
(Expected 0, got 0)
:: [ 21:15:26 ] :: [  BEGIN   ] :: Running 'python3 test.py zabbix.cil
policy/zabbix.te'
/var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '\('
  out = subprocess.run(['grep', '-E', '[A-Za-z_]+\(.*\)', te_source_file],
capture_output=True, text=True)
:: [ 21:15:27 ] :: [   FAIL   ] :: Command 'python3 test.py zabbix.cil
policy/zabbix.te' (Expected 0, got 4)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 2 good, 1 bad
::   RESULT: FAIL (Unsound/dangerous policy practices)

This seems like it might be a python error in the test.



::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   SELint static analysis
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 21:15:27 ] :: [  BEGIN   ] :: Running 'selint -s -r -d E-005 -d W-004 -d
W-005 -d W-010 -d S-001 -d S-010  --context=base-policy policy/zabbix.fc
policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny'
:: [ 21:15:27 ] :: [   PASS   ] :: Command 'selint -s -r -d E-005 -d W-004 -d
W-005 -d W-010 -d S-001 -d S-010  --context=base-policy policy/zabbix.fc
policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0)
:: [ 21:15:27 ] :: [  BEGIN   ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny''
:: [ 21:15:27 ] :: [   FAIL   ] :: Command 'grep -v 'F-002'
'/tmp/tmp.DVGZL996ny'' (Expected 1, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 1 good, 1 bad
::   RESULT: FAIL (SELint static analysis)

No idea about this.


In the installability teest:

BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
----
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc:  denied  { map_read
map_write } for  pid=4601 comm=selinux-autorel
scontext=system_u:system_r:selinux_autorelabel_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc:  denied  { map_read
map_write } for  pid=4605 comm=systemd-fstab-g
scontext=system_u:system_r:systemd_fstab_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc:  denied  { map_read
map_write } for  pid=4609 comm=systemd-gpt-aut
scontext=system_u:system_r:systemd_gpt_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc:  denied  { map_read
map_write } for  pid=4613 comm=systemd-rc-loca
scontext=system_u:system_r:systemd_rc_local_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc:  denied  { read } for
pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
----
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc:  denied  { map_read
map_write } for  pid=4619 comm=systemd-sysv-ge
scontext=system_u:system_r:systemd_sysv_generator_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0


and more, but these seem unrelated to the zabbix package.
Hi Orion,

commenting only on the second part: 
bpf map_read/map_write is a known issue which has been fixed in systemd,
using vsock is a feature of ssh generator, new in systemd v256, which was fixed in policy 2 builds ago.
Please update your system.




--
Orion Poplawski
he/him/his  - surely the least important thing about me
Manager of IT Systems                      720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                 https://www.nwra.com/
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--

Zdenek Pytela
Security SELinux team
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux