On Wed, May 6, 2020 at 2:54 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > Update the testsuite policy and code so that it builds and > runs on Debian unstable and stable successfully (if one has > already enabled SELinux on Debian). Provide the necessary > dependencies and instructions in the README. > > The labeled networking tests relies on specific mlsconstrain s/relies/rely/ > statements that exist in Fedora policy but not in Debian so > add them to the test policy as a CIL module; on Fedora this is > redundant but harmless. The SCTP tests also assumed that > netlabel_peer_t was already marked mcs_constrained() in the > base policy which doesn't appear to be true in Debian, so mark > it so in the test policy. [...] > diff --git a/README.md b/README.md > index b36494e..0d3f060 100644 > --- a/README.md > +++ b/README.md > @@ -36,6 +36,8 @@ one primary security module may be active at a time. > > ### Userland and Base Policy > > +#### Fedora or RHEL > + > On a Fedora/RHEL based system the testsuite has the following userspace > dependencies beyond a minimal install (other Linux distributions should have > similar dependencies): > @@ -77,8 +79,66 @@ following command: > xfsprogs-devel \ > libuuid-devel > > +#### Debian > + > +On Debian, you must first take steps to install and activate SELinux since > +it is not enabled in the default install. Be sure to backup your system first > +if you care about any local data. > + > + # apt-get install selinux-basics selinux-policy-default auditd > + # selinux-activate > + # reboot > + > +After activating, make sure that your login shell is running in the correct context: > + > + # id -Z > + > +If this shows something other than "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", > +you will need to first fix labeling or policy problems in your base system before proceeding. > +Be sure that your shell context is correct and you can switch to enforcing mode without > +breaking your system before proceeding. Maybe it's because I'm not a native English speaker, but I parse "Be sure that" more as "Rest assured that", at least until I reach the end of the sentence. May I suggest using "Make sure that" instead? > + > +On Debian, you can install the userspace dependencies with the following > +command: > + > + # apt-get install perl \ > + gcc \ > + selinux-policy-dev \ > + libselinux1-dev \ > + net-tools \ > + iptables \ > + libsctp-dev \ > + attr \ > + libbpf-dev \ > + libkeyutils-dev \ > + linux-headers-$(uname -r) \ > + quota \ > + xfsprogs \ > + xfslibs-dev \ > + uuid-dev > + > +On Debian, you need to build and install netlabel_tools manually since it is not > +yet packaged for Debian (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959806): > + > + # git clone https://github.com/netlabel/netlabel_tools > + # cd netlabel_tools > + # sudo apt-get install autotools-dev autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev > + # ./autogen.sh > + # ./configure --prefix=/usr > + # make > + # sudo make install > + > +Debian further requires reconfiguring the default /bin/sh to be bash > +to support bashisms employed in the testsuite Makefiles and scripts: > + > + # dpkg-reconfigure dash > + > +Select No when asked if you want to use dash as the default system shell. Maybe add quotes around "No"? > + > +#### Other Distributions > + > The testsuite requires a pre-existing base policy configuration of SELinux, > -using either the old example policy or the reference policy as the baseline. > +using the reference policy as the baseline. > It also requires the core SELinux userland packages (`libsepol`, `checkpolicy`, > `libselinux`, `policycoreutils`, and if using modular policy, `libsemanage`) > to be installed. The test scripts also rely upon the SELinux extensions being > diff --git a/policy/Makefile b/policy/Makefile > index dfe601b..f86aac4 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -40,6 +40,8 @@ CIL_TARGETS = test_add_levels.cil test_glblub.cil > endif > endif # GLBLUB > > +CIL_TARGETS += test_mlsconstrain.cil test_overlay_defaultrange.cil This causes a problem on RHEL-6, since it doesn't understand CIL modules. We'll probably need to detect if semodule supports CIL before trying to add the modules. > + > ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) > TARGETS += test_bounds.te test_nnp_nosuid.te > endif > @@ -161,12 +163,16 @@ build: $(TARGETS) > > load: expand_check all > # General policy load > - @-/usr/sbin/setsebool allow_domain_fd_use=0 > + @if [ -e /sys/fs/selinux/booleans/domain_fd_use ]; then \ > + /usr/sbin/setsebool domain_fd_use=0; \ On RHEL-6, the boolean is actually called allow_domain_fd_use, so it doesn't set the boolean, leading to failures in fdreceive and inherit test. Could we use getsebool and allow_domain_fd_use instead? It should be able to resolve the alias on all systems where the boolean exists. > + fi > $(SEMODULE) -i test_policy/test_policy.pp $(CIL_TARGETS) > > unload: > # General policy unload > - @-/usr/sbin/setsebool allow_domain_fd_use=1 > + @if [ -e /sys/fs/selinux/booleans/domain_fd_use ]; then \ > + /usr/sbin/setsebool domain_fd_use=1; \ Same as above. > + fi > $(SEMODULE) -r test_policy $(subst .cil,,$(CIL_TARGETS)) > > clean: > diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te > index 80559f6..2255a14 100644 > --- a/policy/test_capable_net.te > +++ b/policy/test_capable_net.te > @@ -28,8 +28,6 @@ corenet_raw_sendrecv_generic_if(capabledomain) > corenet_tcp_sendrecv_all_nodes(capabledomain) > corenet_udp_sendrecv_all_nodes(capabledomain) > corenet_raw_sendrecv_all_nodes(capabledomain) > -corenet_tcp_sendrecv_all_ports(capabledomain) > -corenet_udp_sendrecv_all_ports(capabledomain) > corenet_all_recvfrom_unlabeled(test_ncap_t) > corenet_all_recvfrom_unlabeled(test_resncap_t) > corenet_tcp_bind_all_nodes(capabledomain) > diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te > index 79ba868..f699f56 100644 > --- a/policy/test_execute_no_trans.te > +++ b/policy/test_execute_no_trans.te > @@ -24,4 +24,4 @@ userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t) > > #Allow test_execute_notrans permissions to the allowed type > can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t) > -allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_file_perms; > +allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_exec_file_perms; This causes the testsuite to fail on RHEL-7, since there mmap_exec_file_perms includes execute_no_trans for some reason. And on RHEL-6 mmap_exec_file_perms is not defined at all. Can we solve this bz defining mmap_exec_file_perms as mmap_file_perms in test_policy.if if mmap_exec_file_perms is not defined? > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te > index 7d73cbf..4e27134 100644 > --- a/policy/test_filesystem.te > +++ b/policy/test_filesystem.te > @@ -350,6 +350,7 @@ allow test_filesystem_fscontext_t test_filesystem_filecon_t:file { getattr open > allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:dir { add_name search write }; > allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:file { create getattr open relabelfrom write }; > allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:filesystem { mount relabelto unmount }; > +domain_obj_id_change_exemption(test_filesystem_fscontext_t) > fs_relabelfrom_all_fs(test_filesystem_fscontext_t) > files_search_all(test_filesystem_fscontext_t) > allow test_filesystem_filecon_t test_filesystem_fscontext_fs_t:filesystem { associate }; [...] This is what I discovered so far just by trying the patch on various RHELs and reading the text parts of the patch. I plan to have a closer look later. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
