Orion Poplawski via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> writes: > Looks like the selint complaint about virt.if is still present in > current tests, see > > https://artifacts.dev.testing-farm.io/bc02eee7-d23b-4327-91b8-059bbbe624e1/ > > can that get fixed? So DSP testsuite seems to use obsoleted selint from vmojzis/SELinux repo. But it would fail even with selint from rawhide. For this particular problem there's a fix for `selint` upstream and it needs be updated. I'll prepare a PR. In the mean time there's build in my copr repo: # dnf copr enable plautrba/selint # dnf update selint But it fails on other issues: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' 200 zabbix pp 100 zabbix pp :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' Never allow: Access to restricted types: allow zabbix_script_t security_t:file { append getattr write read lock open ioctl } policy management (permissions): allow zabbix_script_t security_t:security { setsecparam } Access to restricted types: allow zabbix_agent_t security_t:file { lock write read append open ioctl getattr } Access to restricted types: allow zabbix_t security_t:file { lock write read append open ioctl getattr } Warnings: Circumventing DAC settings as root (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys _pacct sys_nice ipc_owner } Reassociate thread with a namespace (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sy s_pacct sys_nice ipc_owner } Trace arbitrary process (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys_pacct sys_nice ipc_owner } Circumventing DAC settings as root (capability): allow zabbix_agent_t self:capability { dac_read_search setgid sys_resource audit_write setuid chown } Circumventing DAC settings as root (capability): allow zabbix_t self:capability { dac_read_search sys_resource setuid setgid } Attributes allowing excessive write access: typeattributeset files_unconfined_type (zabbix_script_t) Attributes allowing excessive write access: typeattributeset unconfined_domain_type (zabbix_script_t) Attributes allowing excessive access: typeattributeset files_unconfined_type (zabbix_script_t) Attributes allowing excessive access: typeattributeset unconfined_domain_type (zabbix_script_t) Transition to unconfined domain: typetransition zabbix_agent_t lvm_exec_t process lvm_t Transition to unconfined domain: typetransition zabbix_t zabbix_script_exec_t process zabbix_script_t Transition to unconfined domain: typetransition zabbix_agent_t zabbix_script_exec_t process zabbix_script_t :: [ 07:14:51 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 07:14:51 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^ base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 07:14:51 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' (Expected 0, got 0) :: [ 07:14:51 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^ base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 07:14:51 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis) > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > :: SELint static analysis > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > > base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, > unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) > 169 | filetrans_pattern($1, virt_var_run_t, > virtinterfaced_var_run_t, dir, ``"interface"'') > | > ^ > base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid > statement (F-001) > 169 | filetrans_pattern($1, virt_var_run_t, > virtinterfaced_var_run_t, dir, ``"interface"'') > | > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Error: Failed to parse files > :: [ 04:12:45 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d > W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy > policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.tqHGzCjvxZ' > (Expected 0, got 0) > base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, > unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) > 169 | filetrans_pattern($1, virt_var_run_t, > virtinterfaced_var_run_t, dir, ``"interface"'') > | > ^ > base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid > statement (F-001) > 169 | filetrans_pattern($1, virt_var_run_t, > virtinterfaced_var_run_t, dir, ``"interface"'') > | > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Error: Failed to parse files > > > virt.if: > # This sequence of quotation marks is needed to prevent "interface" > # from being interpreted as a keyword and further parsed by m4 > macros > filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, > dir, ``"interface"'') > Thanks. > > On 6/6/24 10:03, Vit Mojzis wrote: >> Hi, >> sorry about that. >> I just fixed the syntax warning, but it seems there is another issue >> with selint not liking a filetrans_pattern use in virt.if. >> Feel free to ignore the latter as well as the AVCs. Zdenek is working on >> fixing them. >> >> Vit >> >> On 5/30/24 00:14, Orion Poplawski wrote: >>> We have the following PR for zabbix SELinux policy: >>> >>> https://src.fedoraproject.org/rpms/zabbix/pull-request/10 >>> >>> and we're getting some test failures, but I can't really interpret them. >>> >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> :: Unsound/dangerous policy practices >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> >>> :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep >>> zabbix' >>> :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep >>> zabbix' >>> (Expected 0, got 0) >>> :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E >>> zabbix' >>> :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E >>> zabbix' >>> (Expected 0, got 0) >>> :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil >>> policy/zabbix.te' >>> /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '\(' >>> out = subprocess.run(['grep', '-E', '[A-Za-z_]+\(.*\)', >>> te_source_file], >>> capture_output=True, text=True) >>> :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil >>> policy/zabbix.te' (Expected 0, got 4) >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> :: Duration: 1s >>> :: Assertions: 2 good, 1 bad >>> :: RESULT: FAIL (Unsound/dangerous policy practices) >>> >>> This seems like it might be a python error in the test. >>> >>> >>> >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> :: SELint static analysis >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> >>> :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d >>> W-004 -d >>> W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc >>> policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' >>> :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d >>> W-004 -d >>> W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc >>> policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) >>> :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/ >>> tmp.DVGZL996ny'' >>> :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' >>> '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) >>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>> :: Duration: 0s >>> :: Assertions: 1 good, 1 bad >>> :: RESULT: FAIL (SELint static analysis) >>> >>> No idea about this. >> The full test log (https://artifacts.dev.testing-farm.io/ >> ebf002df-7f59-45c4-9160-bfd693126aff/work-tests-DSP.ymlwxt4nh1a/tests- >> y752y75s/FAIL-DSP_test.log) >> shows the output of "selint" in this part (grep is filtering out any >> issues labeled as "F-002" and there should be no others). >> >> >>> >>> In the installability teest: >>> >>> BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs) >>> ---- >>> type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied >>> { map_read >>> map_write } for pid=4601 comm=selinux-autorel >>> scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>> ---- >>> type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied >>> { map_read >>> map_write } for pid=4605 comm=systemd-fstab-g >>> scontext=system_u:system_r:systemd_fstab_generator_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>> ---- >>> type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied >>> { map_read >>> map_write } for pid=4609 comm=systemd-gpt-aut >>> scontext=system_u:system_r:systemd_gpt_generator_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>> ---- >>> type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied >>> { map_read >>> map_write } for pid=4613 comm=systemd-rc-loca >>> scontext=system_u:system_r:systemd_rc_local_generator_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>> ---- >>> type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied >>> { read } for >>> pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 >>> scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0 >>> ---- >>> type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied >>> { map_read >>> map_write } for pid=4619 comm=systemd-sysv-ge >>> scontext=system_u:system_r:systemd_sysv_generator_t:s0 >>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>> >>> >>> and more, but these seem unrelated to the zabbix package. >>> >>> >>> >>> >>> -- >>> _______________________________________________ >>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ >>> code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/ >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> Do not reply to spam, report it: https://pagure.io/fedora- >>> infrastructure/new_issue >> -- >> _______________________________________________ >> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ >> code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/ >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> Do not reply to spam, report it: https://pagure.io/fedora- >> infrastructure/new_issue > > > -- > Orion Poplawski > he/him/his - surely the least important thing about me > IT Systems Manager 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane orion@xxxxxxxx > Boulder, CO 80301 https://www.nwra.com/ > -- > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
