I just loaded the kernel regression test software on a fully up to date
bare metal F28 system using the same procedure I've always used. That is:
1) made sure gcc and git were installed and they were.
2) installed python-fedora and did a restart.
3) logged in as root and cloned the regression test software by:
git clone https://pagure.io/kernel-tests.git
4) edited the config.example to have the log file submitted and added my
FAS username, but not password. Then did "cp config.example .config".
Then I did a "cat of .config" to make sure it turned out as I intended
it to and it was as intended. I have attached a copy for reference.
5) Did a restart and then did: "cd kernel-tests" followed by:
"sudo ./runtests.sh"
The tests ran as expected, but the log file was not submitted. There
seem to have been some changes made to notify users of this software
about their risk concerning recent changes for "meltdown etc.". I still
have the prior version of kernel tests on my F27 machines and the
behavior, based on how that works, should be to notify the user that the
log file is being submitted and prompt for the FAS password.
Another strange thing happens with this version on F28. Whenever
runtests.sh runs I get an SELinux Alert. I have attached the details of
that alert.
Just a guess, but I think folks would want the log files submitted. Have
I made a bad guess or done something wrong? How else if any way should
this be reported.
Thanks and Have a Great Day!
Pat
# Fedora Result Submit Method
# The default behavior is to run the tests without submitting them.
# Other options are 'anonymous', where the results are submitted
# without FAS authentication, or 'authenticated' which will use FAS
# authentication to upload your results and give you credit towards
# Fedora Badges :)
# submit=none
# submit=anonymous
submit=authenticated
# Check duplication tests
#disable_retest=y
# Check Signature for Secure Boot
#checksig=y
#validsig="Fedora Secure Boot Signer"
# Test 3rd Party Modules
#thirdparty=y
# FAS User credentials.
# Storing your FAS password here is technically possible, but is not
# advisable for security reasons.
#username=tablepc
#password=''
# **************** Nothing to edit below here ****************
case $submit in
anonymous)
commit=y
commithook="curl -H 'Expect:' -F "user=anonymous" -F "test_result=@$logfile\;type=text/x-log" https://apps.fedoraproject.org/kerneltest/upload/anonymous";
;;
authenticated)
commit=y
if [ -n "$username" ]; then
username="-u $username"
fi
if [ -n "$password" ]; then
password="-p $password"
fi
commithook="./fedora_submit.py $username $password -l $logfile"
;;
*)
commithook=/usr/bin/true
esac
SELinux is preventing mprotheap from using the execheap access on a process.
***** Plugin allow_execheap (53.1 confidence) suggests ********************
If you do not think mprotheap should need to map heap memory that is both writable and executable.
Then you need to report a bug. This is a potentially dangerous access.
Do
contact your security administrator and report this issue.
***** Plugin catchall_boolean (42.6 confidence) suggests ******************
If you want to allow selinuxuser to execheap
Then you must tell SELinux about this by enabling the 'selinuxuser_execheap' boolean.
Do
setsebool -P selinuxuser_execheap 1
***** Plugin catchall (5.76 confidence) suggests **************************
If you believe that mprotheap should be allowed execheap access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'mprotheap' --raw | audit2allow -M my-mprotheap
# semodule -X 300 -i my-mprotheap.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects Unknown [ process ]
Source mprotheap
Source Path mprotheap
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.1-30.fc28.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
4.16.14-300.fc28.x86_64 #1 SMP Tue Jun 5 16:23:44
UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2018-06-09 20:00:05 EDT
Last Seen 2018-06-09 20:00:06 EDT
Local ID 04b6d103-cb2b-4ef6-83b8-e892cb40553c
Raw Audit Messages
type=AVC msg=audit(1528588806.451:365): avc: denied { execheap } for pid=7513 comm="mprotheap" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: mprotheap,unconfined_t,unconfined_t,process,execheap
_______________________________________________
test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx/message/HDTBRZ5VREWI464UWAULYJQ3F4T6ZF5E/
