Hi Jeremy, On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote: > When running the test-suites for iptables and nftables, the secmark > tests usually fail 'cause I don't have selinux installed and configured, > and I ignore them. However, I want to get the test-suites working with > Debian's CI, so any pointers for how I need to set up selinux would be > gratefully received. That's odd, my VM for testing doesn't run selinux and the testsuites still pass. The only thing I see is selinux support in the kernel config: CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 CONFIG_DEFAULT_SECURITY_SELINUX=y CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" SELinux-ignorant as I am, I wasn't able to find a place which defines selinux contexts/policies, no idea how the kernel validates the 'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK testing for instance. All I can tell is that we had to change this for testing on RHEL. HTH, Phil
