On Wed, Sep 4, 2019 at 8:48 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 8/26/19 5:40 PM, Paul Moore wrote:
> > From: Paul Moore <paul@xxxxxxxxxxxxxx>
> >
> > Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test")
> > fixed the cgroups_label test on new systems, but it broke old systems.
> > Try to use /sys/fs/cgroup/unified first and if that doesn't exist go
> > with the new approach introduced in the commit above.
> >
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> This leaves the test system in a broken state, with all of
> /sys/fs/cgroup/unified getting relabeled to test_cgroup_t during the
> test and then switching to unlabeled_t upon the unloading of the test
> policy. I get a bajillion denials after the testsuite completes from
> anything trying to access /sys/fs/cgroup/unified, and ls -Z
> /sys/fs/cgroup/unified shows it as being unlabeled_t throughout.
A bajillion, that sounds serious! ;)
Anyway, my apologies for breaking things after the test runs. My test
systems pretty much just run the tests (over and over and over) so I
didn't notice the breakage. I'll post a patch for this right now ...
> > ---
> > tests/cgroupfs_label/test | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test
> > index 385b953..91517b4 100755
> > --- a/tests/cgroupfs_label/test
> > +++ b/tests/cgroupfs_label/test
> > @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 }
> >
> > my $ret;
> >
> > -my $dir = "/sys/fs/cgroup/selinuxtest";
> > +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup.
> > +my $dir = "/sys/fs/cgroup/unified";
> > +if (! -d $dir) {
> > + $dir = "/sys/fs/cgroup/selinuxtest";
> > +}
> >
> > # Create a new cgroupfs directory and relabel it.
> > mkdir("$dir");
> >
--
paul moore
www.paul-moore.com
