On 2024-11-20, at 13:29:25 +0100, Phil Sutter wrote: > On Tue, Nov 19, 2024 at 10:46:08PM +0000, Jeremy Sowden wrote: > > When running the test-suites for iptables and nftables, the secmark > > tests usually fail 'cause I don't have selinux installed and configured, > > and I ignore them. However, I want to get the test-suites working with > > Debian's CI, so any pointers for how I need to set up selinux would be > > gratefully received. > > That's odd, my VM for testing doesn't run selinux and the testsuites > still pass. The only thing I see is selinux support in the kernel > config: > > CONFIG_SECURITY_SELINUX=y > CONFIG_SECURITY_SELINUX_DEVELOP=y > CONFIG_SECURITY_SELINUX_AVC_STATS=y > CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 > CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 > CONFIG_DEFAULT_SECURITY_SELINUX=y > CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" > > SELinux-ignorant as I am, I wasn't able to find a place which defines > selinux contexts/policies, no idea how the kernel validates the > 'system_u:object_r:firewalld_exec_t:s0' used for iptables SECMARK > testing for instance. All I can tell is that we had to change this for > testing on RHEL. Thanks, Phil. I'll keeping plugging away. Probably about time I learnt more about SELinux than just how to turn it off. :) J.
Attachment:
signature.asc
Description: PGP signature