Re: iptables & nftables secmark unit-tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2024-11-20, at 13:29:25 +0100, Phil Sutter wrote:
> On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote:
> > When running the test-suites for iptables and nftables, the secmark
> > tests usually fail 'cause I don't have selinux installed and configured,
> > and I ignore them.  However, I want to get the test-suites working with
> > Debian's CI, so any pointers for how I need to set up selinux would be
> > gratefully received.
> 
> That's odd, my VM for testing doesn't run selinux and the testsuites
> still pass. The only thing I see is selinux support in the kernel
> config:
> 
> CONFIG_SECURITY_SELINUX=y
> CONFIG_SECURITY_SELINUX_DEVELOP=y
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
> CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
> CONFIG_DEFAULT_SECURITY_SELINUX=y
> CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> 
> SELinux-ignorant as I am, I wasn't able to find a place which defines
> selinux contexts/policies, no idea how the kernel validates the
> 'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK
> testing for instance. All I can tell is that we had to change this for
> testing on RHEL.

Thanks, Phil.  I'll keeping plugging away.  Probably about time I learnt
more about SELinux than just how to turn it off. :)

J.

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux