Petr Lautrbach via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> writes: > Orion Poplawski via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> writes: > >> Looks like the selint complaint about virt.if is still present in >> current tests, see >> >> https://artifacts.dev.testing-farm.io/bc02eee7-d23b-4327-91b8-059bbbe624e1/ >> >> can that get fixed? > > So DSP testsuite seems to use obsoleted selint from vmojzis/SELinux > repo. But it would fail even with selint from rawhide. > > For this particular problem there's a fix for `selint` upstream and it needs be updated. I'll prepare a PR. > In the mean time there's build in my copr repo: > > # dnf copr enable plautrba/selint > # dnf update selint > > > But it fails on other issues: > > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > :: Unsound/dangerous policy practices > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > > :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' > 200 zabbix pp > 100 zabbix pp > :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) > :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' > :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) > :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' > Never allow: > Access to restricted types: allow zabbix_script_t security_t:file { append getattr write read lock open ioctl } > policy management (permissions): allow zabbix_script_t security_t:security { setsecparam } > Access to restricted types: allow zabbix_agent_t security_t:file { lock write read append open ioctl getattr } > Access to restricted types: allow zabbix_t security_t:file { lock write read append open ioctl getattr } > Warnings: > Circumventing DAC settings as root (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner > chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys > _pacct sys_nice ipc_owner } > Reassociate thread with a namespace (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner > chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sy > s_pacct sys_nice ipc_owner } > Trace arbitrary process (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys_pacct sys_nice ipc_owner } > Circumventing DAC settings as root (capability): allow zabbix_agent_t self:capability { dac_read_search setgid sys_resource audit_write setuid chown } > Circumventing DAC settings as root (capability): allow zabbix_t self:capability { dac_read_search sys_resource setuid setgid } > Attributes allowing excessive write access: typeattributeset files_unconfined_type (zabbix_script_t) > Attributes allowing excessive write access: typeattributeset unconfined_domain_type (zabbix_script_t) > Attributes allowing excessive access: typeattributeset files_unconfined_type (zabbix_script_t) > Attributes allowing excessive access: typeattributeset unconfined_domain_type (zabbix_script_t) > Transition to unconfined domain: typetransition zabbix_agent_t lvm_exec_t process lvm_t > Transition to unconfined domain: typetransition zabbix_t zabbix_script_exec_t process zabbix_script_t > Transition to unconfined domain: typetransition zabbix_agent_t zabbix_script_exec_t process zabbix_script_t > :: [ 07:14:51 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > :: Duration: 1s > :: Assertions: 2 good, 1 bad > :: RESULT: FAIL (Unsound/dangerous policy practices) > $ grep -C 2 unconfined_domain zabbix.te optional_policy(` unconfined_domain(zabbix_script_t) ') The error bellow is not related to zabbix policy and needs to be fixed (probably) in selint > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > :: SELint static analysis > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > > :: [ 07:14:51 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' > base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) > 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") > | ^ > base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) > 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Error: Failed to parse files > :: [ 07:14:51 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' (Expected 0, got 0) > :: [ 07:14:51 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' > base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) > 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") > | ^ > base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) > 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Error: Failed to parse files > :: [ 07:14:51 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' (Expected 1, got 0) > :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: > :: Duration: 0s > :: Assertions: 1 good, 1 bad > :: RESULT: FAIL (SELint static analysis) > > >> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >> :: SELint static analysis >> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >> >> base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, >> unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) >> 169 | filetrans_pattern($1, virt_var_run_t, >> virtinterfaced_var_run_t, dir, ``"interface"'') >> | >> ^ >> base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid >> statement (F-001) >> 169 | filetrans_pattern($1, virt_var_run_t, >> virtinterfaced_var_run_t, dir, ``"interface"'') >> | >> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Error: Failed to parse files >> :: [ 04:12:45 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d >> W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy >> policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.tqHGzCjvxZ' >> (Expected 0, got 0) >> base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, >> unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) >> 169 | filetrans_pattern($1, virt_var_run_t, >> virtinterfaced_var_run_t, dir, ``"interface"'') >> | >> ^ >> base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid >> statement (F-001) >> 169 | filetrans_pattern($1, virt_var_run_t, >> virtinterfaced_var_run_t, dir, ``"interface"'') >> | >> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Error: Failed to parse files >> >> >> virt.if: >> # This sequence of quotation marks is needed to prevent "interface" >> # from being interpreted as a keyword and further parsed by m4 >> macros >> filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, >> dir, ``"interface"'') >> Thanks. >> >> On 6/6/24 10:03, Vit Mojzis wrote: >>> Hi, >>> sorry about that. >>> I just fixed the syntax warning, but it seems there is another issue >>> with selint not liking a filetrans_pattern use in virt.if. >>> Feel free to ignore the latter as well as the AVCs. Zdenek is working on >>> fixing them. >>> >>> Vit >>> >>> On 5/30/24 00:14, Orion Poplawski wrote: >>>> We have the following PR for zabbix SELinux policy: >>>> >>>> https://src.fedoraproject.org/rpms/zabbix/pull-request/10 >>>> >>>> and we're getting some test failures, but I can't really interpret them. >>>> >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> :: Unsound/dangerous policy practices >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> >>>> :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep >>>> zabbix' >>>> :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep >>>> zabbix' >>>> (Expected 0, got 0) >>>> :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E >>>> zabbix' >>>> :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E >>>> zabbix' >>>> (Expected 0, got 0) >>>> :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil >>>> policy/zabbix.te' >>>> /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '\(' >>>> out = subprocess.run(['grep', '-E', '[A-Za-z_]+\(.*\)', >>>> te_source_file], >>>> capture_output=True, text=True) >>>> :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil >>>> policy/zabbix.te' (Expected 0, got 4) >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> :: Duration: 1s >>>> :: Assertions: 2 good, 1 bad >>>> :: RESULT: FAIL (Unsound/dangerous policy practices) >>>> >>>> This seems like it might be a python error in the test. >>>> >>>> >>>> >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> :: SELint static analysis >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> >>>> :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d >>>> W-004 -d >>>> W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc >>>> policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' >>>> :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d >>>> W-004 -d >>>> W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc >>>> policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) >>>> :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/ >>>> tmp.DVGZL996ny'' >>>> :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' >>>> '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) >>>> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: >>>> :: Duration: 0s >>>> :: Assertions: 1 good, 1 bad >>>> :: RESULT: FAIL (SELint static analysis) >>>> >>>> No idea about this. >>> The full test log (https://artifacts.dev.testing-farm.io/ >>> ebf002df-7f59-45c4-9160-bfd693126aff/work-tests-DSP.ymlwxt4nh1a/tests- >>> y752y75s/FAIL-DSP_test.log) >>> shows the output of "selint" in this part (grep is filtering out any >>> issues labeled as "F-002" and there should be no others). >>> >>> >>>> >>>> In the installability teest: >>>> >>>> BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs) >>>> ---- >>>> type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied >>>> { map_read >>>> map_write } for pid=4601 comm=selinux-autorel >>>> scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 >>>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>>> ---- >>>> type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied >>>> { map_read >>>> map_write } for pid=4605 comm=systemd-fstab-g >>>> scontext=system_u:system_r:systemd_fstab_generator_t:s0 >>>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>>> ---- >>>> type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied >>>> { map_read >>>> map_write } for pid=4609 comm=systemd-gpt-aut >>>> scontext=system_u:system_r:systemd_gpt_generator_t:s0 >>>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>>> ---- >>>> type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied >>>> { map_read >>>> map_write } for pid=4613 comm=systemd-rc-loca >>>> scontext=system_u:system_r:systemd_rc_local_generator_t:s0 >>>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>>> ---- >>>> type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied >>>> { read } for >>>> pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 >>>> scontext=system_u:system_r:init_t:s0 >>>> tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0 >>>> ---- >>>> type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied >>>> { map_read >>>> map_write } for pid=4619 comm=systemd-sysv-ge >>>> scontext=system_u:system_r:systemd_sysv_generator_t:s0 >>>> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 >>>> >>>> >>>> and more, but these seem unrelated to the zabbix package. >>>> >>>> >>>> >>>> >>>> -- >>>> _______________________________________________ >>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ >>>> code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedoraproject.org/archives/list/ >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> Do not reply to spam, report it: https://pagure.io/fedora- >>>> infrastructure/new_issue >>> -- >>> _______________________________________________ >>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ >>> code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/ >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> Do not reply to spam, report it: https://pagure.io/fedora- >>> infrastructure/new_issue >> >> >> -- >> Orion Poplawski >> he/him/his - surely the least important thing about me >> IT Systems Manager 720-772-5637 >> NWRA, Boulder/CoRA Office FAX: 303-415-9702 >> 3380 Mitchell Lane orion@xxxxxxxx >> Boulder, CO 80301 https://www.nwra.com/ >> -- >> _______________________________________________ >> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx >> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > > -- > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
